By further comparing the scenario with the built-in file provider and my external provider I found that this has something to do with library contexts. When x509_pubkey_ex_d2i_ex tries to decode the certificate's public key it always uses the default library context. When loading a certificate from a file through the default provider the OSSL_DECODER_CTX_new_for_pkey sets up decoders in this context correctly. However when loading a certificate from my provider the default provider has not been activated and OSSL_DECODER_CTX_new_for_pkey contains no decoder thus the following DECODER_from_bio fails to decode the certificate public key. If I "hack" my provider_init function and force load the default provider into the default library context then things start to work. Then I realized I can also add provider on the command line: openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider default and this work too. How is this supposed to work? Thanks, Milan
