On Tue, Nov 2, 2021 at 3:42 PM Jason Schultz <jetso...@hotmail.com> wrote:
> I thought I should start a new thread since this question was buried in my
> "FIPS" thread and I dont' think it has anything to do with FIPS and OpenSSL
> providers. I'm hitting another problem that I think is related to the
> migration to OpenSSL 3.0, as this code works with OpenSSL 1.1.1 (and 1.0.2
> before it). When looking at the documentation pages for 1.1.1 vs 3.0, I'm
> not seeing any differences between the OpenSSL APIs I'm calling in the 2
> different release levels.
>
> Here is the sequence, I'm basically setting up my certificate and private
> key, both in PEM format, for the server, then I need to extract some
> information from them:
>
> ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
> SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
> SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);
>
SSL_CTX_check_private_key(ctx);
> fp = fopen(<certfile>, "r");
> mycert = PEM_read_X509(fp, NULL, 0, NULL)
>
>
All functions return good statuses or non-NULL pointers until the last one,
> X509_get_pubkey() returns NULL.
>
You probably do not have any providers loaded in the default libctx (NULL).
As the first 4 calls have succeeded, non_fips_libctx does have a working
provider.
Check your code for what is stopping default provider getting auto-loaded
into the default libctx (config file misconfiguration or explicit provider
loading?). Or try the following after successfully loading the cert to the
SSL context (ctx):
X509 cert = SSL_CTX_get0_certificate(ctx);
EVP_PKEY pkey = X509_get_pubkey(cert);
This should work as the decoding will happen in non_fips_libctx.
Selva
