APPS: pkeyparam: Support setting properties

The -provider and -propquery options did not work on pkeyparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c
index 3722be4bf67bd7f3a4cb5486307a71fd2fa48352..4fefe69e6b3cd334f57e19db7baeeaab690620d9 100644 (file)
--- a/apps/pkeyparam.c
+++ b/apps/pkeyparam.c
@@ -100,7 +100,8 @@ int pkeyparam_main(int argc, char **argv)
     out = bio_open_default(outfile, 'w', FORMAT_PEM);
     if (out == NULL)
         goto end;
-    pkey = PEM_read_bio_Parameters(in, NULL);
+    pkey = PEM_read_bio_Parameters_ex(in, NULL, app_get0_libctx(),
+                                      app_get0_propq());
     if (pkey == NULL) {
         BIO_printf(bio_err, "Error reading parameters\n");
         ERR_print_errors(bio_err);
@@ -108,7 +109,11 @@ int pkeyparam_main(int argc, char **argv)
     }
 
     if (check) {
-        ctx = EVP_PKEY_CTX_new(pkey, e);
+        if (e == NULL)
+            ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey,
+                                             app_get0_propq());
+        else
+            ctx = EVP_PKEY_CTX_new(pkey, e);
         if (ctx == NULL) {
             ERR_print_errors(bio_err);
             goto end;

diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t
index 17ee9e2d98b90804402e309be0db11a98b389e23..37bf620f35ee0283a1747f9210bb5965631b8222 100644 (file)
--- a/test/recipes/15-test_ecparam.t
+++ b/test/recipes/15-test_ecparam.t
@@ -119,7 +119,7 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub {
 subtest "Check loading of fips and non-fips params" => sub {
     plan skip_all => "FIPS is disabled"
         if $no_fips;
-    plan tests => 6;
+    plan tests => 8;
 
     my $fipsconf = srctop_file("test", "fips-and-base.cnf");
     my $defaultconf = srctop_file("test", "default.cnf");
@@ -141,6 +141,11 @@ subtest "Check loading of fips and non-fips params" => sub {
                 '-check'])),
        "Fail loading named non-fips curve");
 
+    ok(!run(app(['openssl', 'pkeyparam',
+                '-in', data_file('valid', 'secp112r1-named.pem'),
+                '-check'])),
+       "Fail loading named non-fips curve using pkeyparam");
+
     ok(run(app(['openssl', 'ecparam',
                 '-provider', 'default',
                 '-propquery', '?fips!=yes',
@@ -149,6 +154,14 @@ subtest "Check loading of fips and non-fips params" => sub {
        "Loading named non-fips curve in FIPS mode with non-FIPS property".
        " query");
 
+    ok(run(app(['openssl', 'pkeyparam',
+                '-provider', 'default',
+                '-propquery', '?fips!=yes',
+                '-in', data_file('valid', 'secp112r1-named.pem'),
+                '-check'])),
+       "Loading named non-fips curve in FIPS mode with non-FIPS property".
+       " query using pkeyparam");
+
     ok(!run(app(['openssl', 'ecparam',
                 '-genkey', '-name', 'secp112r1'])),
        "Fail generating key for named non-fips curve");