crypto: support EC private keys

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1324

Makefile.am

@@ -1634,6 +1634,8 @@ EXTRA_DIST += \
 	src/libnm-core-impl/tests/certs/test2_key_and_cert.pem \
 	src/libnm-core-impl/tests/certs/test-aes-128-key.pem \
 	src/libnm-core-impl/tests/certs/test-aes-256-key.pem \
+	src/libnm-core-impl/tests/certs/test-aes-128-ec-key.pem \
+	src/libnm-core-impl/tests/certs/test-aes-256-ec-key.pem \
 	src/libnm-core-impl/tests/certs/test_ca_cert.der \
 	src/libnm-core-impl/tests/certs/test_ca_cert.pem \
 	src/libnm-core-impl/tests/certs/test-ca-cert.pem \
@@ -1642,6 +1644,8 @@ EXTRA_DIST += \
 	src/libnm-core-impl/tests/certs/test-key-and-cert.pem \
 	src/libnm-core-impl/tests/certs/test-key-only-decrypted.der \
 	src/libnm-core-impl/tests/certs/test-key-only-decrypted.pem \
+	src/libnm-core-impl/tests/certs/test-ec-key-only-decrypted.der \
+	src/libnm-core-impl/tests/certs/test-ec-key-only-decrypted.pem \
 	src/libnm-core-impl/tests/certs/test-key-only.pem \
 	src/libnm-core-impl/tests/certs/test-tpm2wrapped-key.pem \
 	src/libnm-core-impl/tests/nm-core-tests-enum-types.c.template \

src/libnm-core-impl/tests/certs/test-aes-128-ec-key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,D6E024FACA9CFFE6B0296EBC848BC80C
+
+vOzvGfSmNKRGMxIlB474A3ZHYqNj0NEuJQxEYV2roY+kAWN4+zdk7I+dbGRbjlgz
+lS0NBIrTEmyPugYEWnaccxKfTTJz5U1OxT/AZVVmJuD/5lh2H2qZUkFs6d10X5zd
+0gsn6OwV+2j9rrWyEcgH8WOwqgiN+LaWihLhGMKaWI0=
+-----END EC PRIVATE KEY-----

src/libnm-core-impl/tests/certs/test-aes-256-ec-key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,8337BC213C3280DC1884C61562719552
+
+Kcdf9l8gAMkN1fb0PGpFRD1VQIGQbB55yCBLMwRBbG1XQ9rVjnP+Zl0CdDzncKXt
+yLFpAAgNUahsaVJyc8/suKl8pj2VfJK8m0NUIrWWQu/KyaFTS6I30hwLJ0WATBMm
+GMb2CiAqlk6U+EqtZxNmgf6SCEGUV/oTCF0AqNFKiXM=
+-----END EC PRIVATE KEY-----

src/libnm-core-impl/tests/certs/test-ec-key-only-decrypted.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPw/e9RgNcs2cMrKn+KnxNCGC1UrcOH9S0xm5e1GxJqRoAoGCCqGSM49
+AwEHoUQDQgAEbA5LlfyjMwuyuIcBr+fk1l71EKC6NttJCGjXGexUOTGsjhVgXHjT
+cc2EohzF94Zs4EjYce3aQe4YsA11YMuRaQ==
+-----END EC PRIVATE KEY-----

src/libnm-core-impl/tests/test-crypto.c

@@ -111,7 +111,7 @@ test_load_private_key(const char *path,
 
     array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
     /* Even if the password is wrong, we should determine the key type */
-    g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
+    g_assert_cmpint(key_type, !=, NM_CRYPTO_KEY_TYPE_UNKNOWN);
 
     if (expected_error != -1) {
         g_assert(array == NULL);
@@ -226,7 +226,7 @@ test_encrypt_private_key(const char *path, const char *password)
 
     array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
     nmtst_assert_success(array, error);
-    g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
+    g_assert_cmpint(key_type, !=, NM_CRYPTO_KEY_TYPE_UNKNOWN);
 
     /* Now re-encrypt the private key */
     encrypted = nmtst_crypto_rsa_key_encrypt(g_bytes_get_data(array, NULL),
@@ -244,7 +244,7 @@ test_encrypt_private_key(const char *path, const char *password)
                                                                  &key_type,
                                                                  &error);
     nmtst_assert_success(re_decrypted, error);
-    g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
+    g_assert_cmpint(key_type, !=, NM_CRYPTO_KEY_TYPE_UNKNOWN);
 
     /* Compare the original decrypted key with the re-decrypted key */
     g_assert(g_bytes_equal(array, re_decrypted));
@@ -452,12 +452,21 @@ main(int argc, char **argv)
     g_test_add_data_func("/libnm/crypto/key/aes-128",
                          "test-aes-128-key.pem, test-aes-password",
                          test_key);
+    g_test_add_data_func("/libnm/crypto/key/aes-128-ec",
+                         "test-aes-128-ec-key.pem, test-aes-password",
+                         test_key);
     g_test_add_data_func("/libnm/crypto/key/aes-256",
                          "test-aes-256-key.pem, test-aes-password",
                          test_key);
+    g_test_add_data_func("/libnm/crypto/key/aes-256-ec",
+                         "test-aes-256-ec-key.pem, test-aes-password",
+                         test_key);
     g_test_add_data_func("/libnm/crypto/key/decrypted",
                          "test-key-only-decrypted.pem",
                          test_key_decrypted);
+    g_test_add_data_func("/libnm/crypto/key/decrypted-ec",
+                         "test-ec-key-only-decrypted.pem",
+                         test_key_decrypted);
 
     g_test_add_data_func("/libnm/crypto/PKCS#12/1", "test-cert.p12, test", test_pkcs12);
     g_test_add_data_func("/libnm/crypto/PKCS#12/2", "test2-cert.p12, 12345testing", test_pkcs12);

src/libnm-crypto/nm-crypto.c

@@ -25,6 +25,9 @@
 #define PEM_DSA_KEY_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
 #define PEM_DSA_KEY_END   "-----END DSA PRIVATE KEY-----"
 
+#define PEM_EC_KEY_BEGIN "-----BEGIN EC PRIVATE KEY-----"
+#define PEM_EC_KEY_END   "-----END EC PRIVATE KEY-----"
+
 #define PEM_CERT_BEGIN "-----BEGIN CERTIFICATE-----"
 #define PEM_CERT_END   "-----END CERTIFICATE-----"
 
@@ -201,6 +204,10 @@ parse_old_openssl_key_file(const guint8       *data,
         key_type  = NM_CRYPTO_KEY_TYPE_DSA;
         start_tag = PEM_DSA_KEY_BEGIN;
         end_tag   = PEM_DSA_KEY_END;
+    } else if (find_tag(PEM_EC_KEY_BEGIN, data, data_len, 0, &start)) {
+        key_type  = NM_CRYPTO_KEY_TYPE_EC;
+        start_tag = PEM_EC_KEY_BEGIN;
+        end_tag   = PEM_EC_KEY_END;
     } else {
         g_set_error(error,
                     _NM_CRYPTO_ERROR,

src/libnm-crypto/nm-crypto.h

@@ -29,7 +29,8 @@ const NMCryptoCipherInfo *nm_crypto_cipher_get_info_by_name(const char *cipher_n
 typedef enum {
     NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,
     NM_CRYPTO_KEY_TYPE_RSA,
-    NM_CRYPTO_KEY_TYPE_DSA
+    NM_CRYPTO_KEY_TYPE_DSA,
+    NM_CRYPTO_KEY_TYPE_EC,
 } NMCryptoKeyType;
 
 typedef enum {