openssl: PKCS8 encoded RSA private key fail to decode if legacy algorithms are involved and the error reporting is lacking

OSSL_DECODER_from_bio fails to decode an encrypted RSA private key.

Pseudo code:

const auto privateBio{ ::BIO_new_file(file, L"rb") };
EVP_PKEY* privateKey{ nullptr };
auto decoderContext{ ::OSSL_DECODER_CTX_new_for_pkey(&privateKey, nullptr, nullptr, nullptr, OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr) };
::OSSL_DECODER_CTX_set_passphrase(decoderContext, reinterpret_cast<const unsigned char*>(passwordUtf8.c_str()), passwordUtf8.size());
const auto result{ ::OSSL_DECODER_from_bio(decoderContext, privateBio) };
const auto reason{ ::ERR_GET_REASON(::ERR_peek_last_error()) };

Private key:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJiDA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIzi+vJMiNjugCAggA
MBEGBSsOAwIJBAiNuoCiIxCXtQSCCUXBKc5YAeImGGwzVdczFrxpgzHZv0PDlMxL
RPkZGpgfZfugu5j44rm8VHuWRjxy/uTSN9KOJrl3nXeKR6P/Yz2S+EYEpgvdxhGK
z0CxQ+Gg4eXPNUj4aPX2p5+rbdOdT9lVWI/mQZL1QF9prirmBByvkzOqGa/dvF4S
NoGOPU9egzqvmFzLvstmfRrvrAg8Bc9gW5xuDnPif/12dju2+mHcYjE29v/lc6q1
TGwWH+Y1i1s/NgznQPszzuPAyH9xiuK8SV+r7fsYW5AAkCFxQCuYksC6fGLbq7mY
4r5cqOYP5RjzFjSI7Lugoz8qs/sShLOzAaI3EnuVIXfRNDt4GRoKwU4rW3zOo4UX
G9F8NLgcxWFloJq886QQ6OL7qX0pH+/aGCcpEnoAgGcM0Nm90sBgKj0YDQdspu2i
gZkGQ4p7nDi7q5awadTYfPpPWUfdAKs0+Kj365wcy4yTcweLyC5pwfI3vUqTYDdT
lFeeTAn59SSCHgN8hHS+aZhnoA7tQZbKlZZ+51pWebt5cbo8EQerDSbM3YaFsBRM
jO0l+rG9WJFdTDr9hMAhXxoaOy4j4NZEi5Y5SD09dXcZodbNqmQkgqzngb2hmqO1
pp1yWa6wMEailb7B4GvEYqcWdN9t5j6rEaF/4GZSfTfYzSjdcTYQzLPiZs5PHLbK
Y0+xKiNikMRmy0i6J9nv3IAs6L/K6+zqFQLOQJK9+JEuz5Wzr4cz5W+wcbyr0XyE
fktsqXJxf1SAniyOxqM23++ww0ZILwx6/yx/B40cbE4IwBJtrPZnDNSLriGDuSig
28eZY9PAEGvRqwHMrcJQ8JkryI2zUX/UPwlAQP2SIRj02cPolmZpwCaDGG7LbglQ
5kTCj1je4XygguMTi8Ley1LbGFr8V37nsCgavZ9Z/+BPjJjSUg3yfXTR8yqB1Dv5
4gapY6TALu2TcEb0bM/QM/usD/p3+0x9Wc/QGH30r7GsnEmTibBlHQ7zqUF1YUkM
PzoLBlMup7fTkYY9d2N2s8Lx8w4+7AfbagAqYtlbLLKaEGgVJXgiYCbbsAT2DYcc
yTHTbPDSfQwKHOlUp5P+OjSYayTwD3bvydbGyVZxrxSI45SnYJa8JkU5zBWdMCIc
ywUdB53C9D2MzTSqFuiu1M5agEDEutg61Ea4geg7g7bVzKbuDnyUys51Creqa1q2
IM4t94SW/e7otbjyxC60r5TE9xuXiPOz4tBAGiDfPMS8Pe9/gldEs/vB6lkhhAtA
duphcg6kvDSVSrTjWVZqq+uSHbtCZ2HzYDUbLzas0u/w5wnGZaoaCjnIsCzoxTdr
9zRhDV3JV2Owxxw4yibft6+vMTuOOdDhKe3ujyiXkxvx36lf8KSv4dsExnln0fig
dvvkH+VbrO06geeCZxWorFW98yvJRsC10EmBWNvPriihrrxrNFIp1FPKmOJaeMyk
Ni2ZMyUoZB2biYQProU0afkPo/Nwi7hi1IIq+Wt2Tk88lB0dAaMwyvstoOQ0yVCr
d73XEKBnuwwbReeYbh6Vq+AXkQmuh9f4RCknMhBugA5pTd8/sKjsO1XTjg1xhqVX
Vu44gyntLPV2/VShFCetAKnADWAhpz/uKaklPQVjRQZKL5hewlG8kob9qx2a+liK
2sntLgUcp7U7cP+JqC1jhhIcpsRWNfxrRPvh5nca6k4nblsGcccm4vm+5HT+k42P
b+WjShVcGE4RUo6gLO4269FIsBNFQT8RNMd5vYnTsDNSggY+i/yAX0BSeLEeiLLj
CD9k7+oZMhJ9uW2nv78OxOcofeLVGYDbV14GitJ1Ea2Q10wV0K7H/dF4sICEoI+n
cpp9PVsfK5aumaJ/iHhKcZqx8qqvyV6NDRnrZepOp+deyIuWy+Xfhna8a3owNDQb
ODWBDvPE2Ul2rovv6hj7vp+YceaR/6Lr6VdVfsLfbKw7YNf2iiWbeewGePDBZhW9
oKzNCSPxDZDwGNMX4ynhhImIBQutddoXBhWsC82eYuYIpGeGW4mZDVPW/CIC/vL7
kb66bVBAAt3S6pTUR4JGrl6Ne9hQTu7ka/fLBdwnyHe1+3JOigORkOH4LEUo/J5z
CiTw/zl+E5E1Wh6mdlF0NqUMYjU1ZqwdYJyNRI5unIJw2eGsNkUm79uFhjP03yC4
3YD3aX7cgpeab4zmYvJuQ96o6hsV4hOqi2lsb9UDV6Id7ilyKDSQ/uUsPUAQkNWc
upItHP6QwNPjRwh9OY+iNVHyma9Oj7aiOhhcmxscYoO2b5ARhtTHYuh2gpiE9GEG
9lcJ/Gig3wC6E/ln8YV+zH+y1C34WfyD7idg2WbWMveC7gyF9HZ1O/g9OYzjTuNf
cggux8GgTINUMpuF0Um+dAjgMy6R5NGV63ENqWSNnxr+/MCj5hWhMzagIZmQUNQZ
rIAS/l1bcfRjIFY4rYa7B+zNFAGPbjdC6sW7FsnEheJLSQ1ax8mTYgtHvw1Bdd0F
bA3hGVCB2/FmfQ4cZuMjvZ9VCTcFhC/PscFeoEhqNGzc/p8LXlTSjz3Um7+2NHAT
mB8eKo3Cx2Spnfgfg6aRUiouSE4aU8eByPuy6qq3Sy6uhZa9Fg9AZoFodZs5wgIy
a1aynxiO2bKodoj8mr4b1SYcy0uthYnVMN9kWtxG3bFL+8pxmin/pLVtOaJdq/lW
hHrnsZ5tmX7Ivg9l8+VMmJ6wS7h+9TaJF9Of40iA8sejP2JlXVfS9vYe8Y7RKkam
ip5RS4HxBgBaAQZsFo8/VMkUK0aYQaWvbP7Dmk2fVYGdL60kVe9jSxeskp2WOQP9
SuEroWk38PHAoRpS8f6EHDsTIrgvDgbEwjZmknj+7GO/Fet2FuIAIzGbHuEtuIuc
Y0mWOQZeMTxcZdcwljNpsFMUORfWoD/dYGBHDm380PYJW8zka+AaP6Iw3oNwwIR0
Aj7UyjaBBVgOuJO4+PFHxCi8LjEMce2KoCPrEa/eCAzq04GrJ4QqHQDd3WUGpezi
FsFDXnmE75v2ubpeJQgV1wtVQaDiYTp1NNZDRhAiFq4txuyk7DRkiP0T3mqf0HZ1
VCFPV/diXrhfObTpt4doCXVoWoy1fEpapB42ngk6LYSWulrvKhQk+IFhoO0KndHG
KNOkF4Wy6XLS/Lvyfd5Qa2+mGHzrSZm4ix0CZwU4iqMBm7gNop4ke88VqWo=
-----END ENCRYPTED PRIVATE KEY-----

result is 0 and reason is 0 too. This was working before.

Password can be provided privately.

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 21 (19 by maintainers)

Commits related to this issue

OSSL_DECODER_from_bio: Avoid spurious decoder error If there are any new errors reported we avoid raising the OSSL_DECODER_from_bio:unsupported error. Fixes #14566 — committed to t8m/openssl by t8m 3 years ago
OSSL_DECODER_from_bio: Avoid spurious decoder error If there are any new errors reported we avoid raising the OSSL_DECODER_from_bio:unsupported error. Fixes #14566 Reviewed-by: Paul Dale <pauli@ope... — committed to devnexen/openssl by t8m 3 years ago

Most upvoted comments

Ah, yes, it is - it is encrypted with single DES. You’ll need the legacy provider loaded for that to be supported.

+1

t8m on Mar 16, 2021

Read more comments on GitHub

← openssl: PEM/DER decoding of PKCS8 RSA private keys are 80 times slower in 3.0

openssl: PKEY-method override no longer working with OpenSSL 3.0 →