pkey: use OSSL_DECODER to load encrypted PEM on OpenSSL 3.0 #479
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PEM-encoded private keys are sometimes stored together with irrelevant PEM blocks, such as the corresponding X.509 certificate. PEM_read_bio_*() family automatically skips unknown PEM blocks, but on OpenSSL 3.0 we will be using the new OSSL_DECODER API instead due to some breaking changes around the password callback. Let's add a test case so that we won't break the current behavior.
OpenSSL 3.0 has rewritten routines to load pkeys (PEM_read_bio_* and d2i_* functions) around the newly introduced OSSL_DECODER API. This comes with a slight behavior change. They now decrypt and parse each encountered PEM block, then check the kind of the block. This used to be the reverse: they checked the PEM header to see the kind, and then decrypted the content. This means that the password callback may now be called repeatedly. Let's use the OSSL_DECODER API directly on OpenSSL 3.0 so that the return value from the password callback will be reused automatically.
|
It is tested locally on OpenSSL 3.0.0. GitHub Actions will be set up later because the test suite still hangs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OpenSSL 3.0 has rewritten routines to load pkeys (PEM_read_bio_* and
d2i_* functions) around the newly introduced OSSL_DECODER API.
This comes with a slight behavior change. They now decrypt and parse
each encountered PEM block, then check the kind of the block. This used
to be the reverse: they checked the PEM header to see the kind, and then
decrypted the content. This means that the password callback may now be
called repeatedly.
Let's use the OSSL_DECODER API directly on OpenSSL 3.0 so that the
return value from the password callback will be reused automatically.
This is part of #369 (Support OpenSSL 3.0). The patch was originally submitted in #399.