From 5619a61829fa50063f53fe3d406683faf8f43900 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 6 Nov 2024 18:07:11 +0100
Subject: [PATCH] openssl-util: Set expected object type to private keys

Configures the store to only try to fetch private keys and nothing
else.
---
 src/shared/openssl-util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 5688d541141..914f30989bb 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -1340,6 +1340,9 @@ static int load_key_from_provider(
         if (!store)
                 return log_openssl_errors("Failed to open OpenSSL store via '%s'", private_key_uri);
 
+        if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) == 0)
+                return log_openssl_errors("Failed to filter store by private keys");
+
         _cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
         if (!info)
                 return log_openssl_errors("Failed to load OpenSSL store via '%s'", private_key_uri);
-- 
2.47.3