On Tue, Nov 2, 2021 at 3:42 PM Jason Schultz <jetson23@xxxxxxxxxxx> wrote:
I thought I should start a new thread since this question was buried in my "FIPS" thread and I dont' think it has anything to do with FIPS and OpenSSL providers. I'm hitting another problem that I think is related to the migration to OpenSSL 3.0, as this code works with OpenSSL 1.1.1 (and 1.0.2 before it). When looking at the documentation pages for 1.1.1 vs 3.0, I'm not seeing any differences between the OpenSSL APIs I'm calling in the 2 different release levels.
Here is the sequence, I'm basically setting up my certificate and private key, both in PEM format, for the server, then I need to extract some information from them:
ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);
SSL_CTX_check_private_key(ctx);
fp = fopen(<certfile>, "r");mycert = PEM_read_X509(fp, NULL, 0, NULL)
All functions return good statuses or non-NULL pointers until the last one, X509_get_pubkey() returns NULL.
You probably do not have any providers loaded in the default libctx (NULL). As the first 4 calls have succeeded, non_fips_libctx does have a working provider.
Check your code for what is stopping default provider getting auto-loaded into the default libctx (config file misconfiguration or explicit provider loading?). Or try the following after successfully loading the cert to the SSL context (ctx):
X509 cert = SSL_CTX_get0_certificate(ctx);
EVP_PKEY pkey = X509_get_pubkey(cert);
This should work as the decoding will happen in non_fips_libctx.
Selva