-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 3 support for loading engine keys #723
Comments
Related to #722. Could you tell us which engine you are using? |
Hello, Currently it is in the process of migrating to openssl 3 but it's still incomplete. GOST-engine maintainer has recommended to load private keys using Here's an example with a private key which openssl req -x509 -newkey gost2012_256 -pkeyopt paramset:A -nodes -keyout gost_private.pem -out gost_cert.crt -subj "/C=RU/ST=Test/L=Test/O=Test/OU=Test/CN=example.com" openssl pkey -in ../gost_private.pem -check For now I am using this to accomplish compatibility with engine provided keys, i.e. trying to read the key using the old way in addition to currently used way. |
I reproduced the error using the gost engine with OpenSSL 3.2. According to https://github.com/gost-engine/engine/blob/e0a500ab877ba72cb14026a24d462dd923b90ced/README.prov.md, pkeys haven't been ported to a provider and are only implemented through the legacy engine interface.
OpenSSL::PKey.read currently entirely relies on the OSSL_DECODER API. This API apparently doesn't take care of legacy pkeys (i.e., not backed by a provider). I've overlooked it. openssl/ext/openssl/ossl_pkey.c Lines 82 to 181 in 043c503
It looks like we have to fallback to legacy PEM decoding with EVP_PKEY_ASN1_METHOD if OSSL_DECODER fails. |
Openssl 3 still supports loading engines and some engines still haven't migrated to using providers.
In such cases it is possible to continue using engines. They can be loaded using openssl's config file.
Previously I could load a private key(provided by custom engine) like so
But now even though engine is loaded the same command returns
Could not parse PKey (OpenSSL::PKey::PKeyError)
.Using
OpenSSL::PKey.new_raw_private_key
also did not help.Locally installing
ruby/openssl
and revertingossl_pkey_read_generic
inossl_pkey.c
to the previous version(before openssl 3 support) did help, but this method is not viable for production.Is it possible to provide some way to load such keys?
The text was updated successfully, but these errors were encountered: