openssl-util: Set expected object type to private keys

Configures the store to only try to fetch private keys and nothing
else.

diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 5688d5411412d0191a215e8ad6caac0df3f2bafd..914f30989bb127be8fa21006897833a28d9b8f05 100644 (file)
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -1340,6 +1340,9 @@ static int load_key_from_provider(
         if (!store)
                 return log_openssl_errors("Failed to open OpenSSL store via '%s'", private_key_uri);
 
+        if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) == 0)
+                return log_openssl_errors("Failed to filter store by private keys");
+
         _cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
         if (!info)
                 return log_openssl_errors("Failed to load OpenSSL store via '%s'", private_key_uri);