openssl: Broken: ECC public key retrieval from a cert - X509_get0_pubkey(cert)->ameth is NULL
OpenSSL - current master. MacOS 11.4, Xcode-12.5.1, libp11 - current master. Not that any of this version data matters.
ECC public key retrieval from a certificate via X509_get0_pubkey() is broken (incomplete): X509_get0_pubkey(cert)->ameth remains NULL no matter what.
This problem manifests itself in https://github.com/OpenSC/libp11 (the issue there is https://github.com/OpenSC/libp11/issues/413).
For details see https://github.com/OpenSC/libp11/issues/413#issuecomment-868689692 and https://github.com/OpenSC/libp11/issues/413#issuecomment-869144689 .
Also, https://github.com/openssl/openssl/issues/15921 patch helps pinpointing this bug.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (18 by maintainers)
Commits related to this issue
- CRYPTO: Remove the check for built-in methods in the export_to function That check was seen as necessary at the time, but other changes have been made since, so we now have better control on when we'... — committed to levitte/openssl by levitte 3 years ago
- CRYPTO: Remove the check for built-in methods in the export_to function That check was seen as necessary at the time, but other changes have been made since, so we now have better control on when we'... — committed to devnexen/openssl by levitte 3 years ago
Thankfully, still passes the test. 😉
I’m currently playing with tpm2-openssl, and am finding the same problem. I haven’t dived into that issue yet, but am going to soon.
What I suspect is that the issue happens whenever one of the providers is an HSM, i.e. refuses to export the key data. Worst case scenario would be trying to compare keys held by two providers, both of them HSMs. That’s simply an impossible situation…
->ameth being NULL is an indication that the loaded key is tied to a provider. It is a bit strange that this happens no matter what for you guys, as the intention as far as I understood it was that engines would indeed get some sort of first dibs. There’s been quite a bit of work happening in that area, though, so this may have changed since last I looked…