On Wed, 2022-01-12 at 09:41 +0100, Milan Kaše wrote: > By further comparing the scenario with the built-in file provider and > my external provider I found that this has something to do with > library contexts. > > When x509_pubkey_ex_d2i_ex tries to decode the certificate's public > key it always uses the default library context. When loading a > certificate from a file through the default provider the > OSSL_DECODER_CTX_new_for_pkey sets up decoders in this context > correctly. However when loading a certificate from my provider the > default provider has not been activated and > OSSL_DECODER_CTX_new_for_pkey contains no decoder thus the following > DECODER_from_bio fails to decode the certificate public key. > > If I "hack" my provider_init function and force load the default > provider into the default library context then things start to work. > Then I realized I can also add provider on the command line: > > openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider > default > > and this work too. > > How is this supposed to work? The default (or base) provider has to be explicitly loaded either via the configuration file once you load any other provider. The default provider is implicitly loaded only in case no other provider was loaded before for compatibility reasons. See for example the OSSL_PROVIDER-default manual page. -- Tomáš Mráz, OpenSSL