git.ipfire.org Git - thirdparty/openssl.git/commit

author	slontis <shane.lontis@oracle.com>
	Wed, 20 Nov 2024 01:39:35 +0000 (12:39 +1100)
committer	Tomas Mraz <tomas@openssl.org>
	Fri, 29 Nov 2024 16:11:43 +0000 (17:11 +0100)
commit	e7f729072e4d667a44b8386c4a056109980ab97a
tree	acf82010cb49ee2c91ed0a773c3ea1d8b90f171f	tree \| snapshot
parent	7de1da22abf050bf8ed01e4848fe0f2a5b279bc4	commit \| diff

Fix EVP_PKEY_print_private() so that it works with non default providers.

At some point in time it was decided that the EC keymanagers ec_export()
function would only allow the selection to be both the public + private
parts. If just the private element is selected it returns an error.
Many openssl commandline apps use EVP_PKEY_print_private() which passes
EVP_PKEY_PRIVATE_KEY to the encoder. This selection propagates to
encoder_construct_pkey(). For external providers (such as the fips
provider this will call the keymanagers export() with the selection set
to just the private part.

So we either need to
1) change the selection in EVP_PKEY_print_private() or
2) modify the selection used in the export used in
encoder_construct_pkey
3) Change the ec_export to allow this.

I have chosen 2) but I am not sure if this is the correct thing to do
or whether it should conditionally do this when the output_type ==
'text'.

Issue was reported by Ilia Okomin (Oracle).

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26004)

(cherry picked from commit 79c98fc6ccab49f02528e06cc046ac61f841a753)

crypto/encode_decode/encoder_pkey.c		diff \| blob \| blame \| history
test/recipes/04-test_encoder_decoder.t		diff \| blob \| blame \| history