greenbone · timopollmeier · Nov 11, 2020 · Nov 10, 2020 · Nov 10, 2020 · Nov 10, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,6 +46,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Do not inherit settings from deleted users [#1328](https://github.com/greenbone/gvmd/pull/1328)
 - Delete TLS certificate sources when deleting users [#1334](https://github.com/greenbone/gvmd/pull/1334)
 - Fix SQL errors in SCAP and CERT update [#1343](https://github.com/greenbone/gvmd/pull/1343)
+- Check private key when modifying credential [#1351](https://github.com/greenbone/gvmd/pull/1351)
 
 ### Removed
 - Remove DROP from vulns creation [#1281](http://github.com/greenbone/gvmd/pull/1281)

diff --git a/src/gmp.c b/src/gmp.c
@@ -267,48 +267,6 @@ check_certificate (const char *cert_str, const char *credential_type)
     return check_certificate_x509 (cert_str);
 }
 
-/**
- * @brief Check that a string represents a valid Private Key.
- *
- * @param[in]  key_str      Private Key string.
- * @param[in]  key_phrase   Private Key passphrase.
- *
- * @return 0 if valid, 1 otherwise.
- */
-static int
-check_private_key (const char *key_str, const char *key_phrase)
-{
-  gnutls_x509_privkey_t key;
-  gnutls_datum_t data;
-  int ret;
-
-  assert (key_str);
-  if (gnutls_x509_privkey_init (&key))
-    return 1;
-  data.size = strlen (key_str);
-  data.data = (void *) g_strdup (key_str);
-  ret = gnutls_x509_privkey_import2 (key, &data, GNUTLS_X509_FMT_PEM,
-                                     key_phrase, 0);
-  if (ret)
-    {
-      gchar *public_key;
-      public_key = gvm_ssh_public_from_private (key_str, key_phrase);
-
-      if (public_key == NULL)
-        {
-          gnutls_x509_privkey_deinit (key);
-          g_free (data.data);
-          g_message ("%s: import failed: %s",
-                     __func__, gnutls_strerror (ret));
-          return 1;
-        }
-      g_free (public_key);
-    }
-  g_free (data.data);
-  gnutls_x509_privkey_deinit (key);
-  return 0;
-}
-
 /**
  * @brief Check that a string represents a valid Public Key.
  *

diff --git a/src/manage.h b/src/manage.h
@@ -1976,6 +1976,9 @@ typedef enum
   CREDENTIAL_FORMAT_ERROR = -1  /// Error / Invalid format
 } credential_format_t;
 
+int
+check_private_key (const char *, const char *);
+
 gboolean
 find_credential_with_permission (const char*, credential_t*, const char*);
 

diff --git a/src/manage_sql.c b/src/manage_sql.c
@@ -51,6 +51,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <glib/gstdio.h>
+#include <gnutls/x509.h>
 #include <malloc.h>
 #include <pwd.h>
 #include <stdlib.h>
@@ -33762,6 +33763,48 @@ check_db_encryption_key ()
   return 0;
 }
 
+/**
+ * @brief Check that a string represents a valid Private Key.
+ *
+ * @param[in]  key_str      Private Key string.
+ * @param[in]  key_phrase   Private Key passphrase.
+ *
+ * @return 0 if valid, 1 otherwise.
+ */
+int
+check_private_key (const char *key_str, const char *key_phrase)
+{
+  gnutls_x509_privkey_t key;
+  gnutls_datum_t data;
+  int ret;
+
+  assert (key_str);
+  if (gnutls_x509_privkey_init (&key))
+    return 1;
+  data.size = strlen (key_str);
+  data.data = (void *) g_strdup (key_str);
+  ret = gnutls_x509_privkey_import2 (key, &data, GNUTLS_X509_FMT_PEM,
+                                     key_phrase, 0);
+  if (ret)
+    {
+      gchar *public_key;
+      public_key = gvm_ssh_public_from_private (key_str, key_phrase);
+
+      if (public_key == NULL)
+        {
+          gnutls_x509_privkey_deinit (key);
+          g_free (data.data);
+          g_message ("%s: import failed: %s",
+                     __func__, gnutls_strerror (ret));
+          return 1;
+        }
+      g_free (public_key);
+    }
+  g_free (data.data);
+  gnutls_x509_privkey_deinit (key);
+  return 0;
+}
+
 /**
  * @brief Find a credential for a specific permission, given a UUID.
  *
@@ -34665,12 +34708,26 @@ modify_credential (const char *credential_id,
         {
           if (key_private_to_use || password)
             {
+              if (check_private_key (key_private_truncated
+                                      ? key_private_to_use
+                                      : credential_iterator_private_key
+                                         (&iterator),
+                                     password
+                                      ? password
+                                      : credential_iterator_password
+                                         (&iterator)))
+                {
+                  sql_rollback ();
+                  cleanup_iterator (&iterator);
+                  return 8;
+                }
+
               set_credential_private_key
                 (credential,
                  key_private_truncated
                   ? key_private_to_use
                   : credential_iterator_private_key (&iterator),
-                password
+                 password
                   ? password
                   : credential_iterator_password (&iterator));
             }