On Thu, 2024-01-25 at 12:09 -0500, Viktor Dukhovni wrote: > On Thu, Jan 25, 2024 at 09:40:20AM +0100, Tomas Mraz wrote: > > > A simple workaround is to put the key in a separate file and use > > the > > -key option to load it and have only the unencrypted certificate in > > the file loaded with the -cert option. > > So it seems that the PEM reader wants to decrypt even objects that > will be ultimately ignored? This feels like a layering issue, the > decryption happens before filtering for the desired result types. > > Is that the issue? Yes, but I assume it might be even more complicated because the apps call OSSL_STORE to load keys and certs from files and not call decoders directly. -- Tomáš Mráz, OpenSSL
