EVP_PKEY_fromdata_init returns unsupported.

William Roberts bill.c.roberts at gmail.com
Sat Feb 26 17:20:14 UTC 2022


On Fri, Feb 25, 2022 at 4:19 PM William Roberts
<bill.c.roberts at gmail.com> wrote:
>
> Hi Kory,
>
> its the line:
> genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL);
>
> There's a snippet in the first email or is there something else you're
> asking me and I'm not groking it?
>
> Thanks,
> Bill
>
> On Fri, Feb 25, 2022 at 4:16 PM Kory Hamzeh <kory at avatarci.com> wrote:
> >
> > Hi Bill,
> >
> > How are you creating the EVP_PKEY_CTX?
> >
> > Kory
> >
> >
> > > On Feb 25, 2022, at 2:07 PM, William Roberts <bill.c.roberts at gmail.com> wrote:
> > >
> > > Hello,
> > >
> > > In openssl 3.0.1 the following code hits the ctx->keymgt is null check
> > > and thus returns -2
> > > in pmeth_gn.c:
> > > static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
> > > {
> > >    if (ctx == NULL || ctx->keytype == NULL)
> > >        goto not_supported;
> > >
> > >    evp_pkey_ctx_free_old_ops(ctx);
> > >    if (ctx->keymgmt == NULL)
> > >        goto not_supported;
> > >
> > > The callpath comes in from EVP_PKEY_fromdata_init:
> > >
> > > libctx = OSSL_LIB_CTX_new()
> > > genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL);
> > > int rc = EVP_PKEY_fromdata_init(genctx);
> > >
> > > I have no idea why it returns unsupported... any ideas?
> > > I also tried replacing EVP_PKEY_CTX_new_from_name  with
> > > EVP_PKEY_CTX_new_id, same error.
> > >

I wonder if this is an issue with:
1. My underlying application linking to OpenSSL and not using any
custom provider or engine
2. That application is being called through the pkcs11-engine from libp11.

The flow looks something like this:

OPENSSL_CONF=ossl.cnf openssl req  --> pkcs11 engine --> tpm2-pkcs11
--> tpm2-tss (linked to openssl libcrypto).

$ cat ossl.cnf
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = ${ENV::TPM2_PKCS11_MODULE}
PIN=myuserpin
init = 0

[ req ]
distinguished_name = req_dn
string_mask = utf8only
utf8 = yes

[ req_dn ]
commonName = Mr Test Harness

--- EOF ----

This worked pre-3.0, any ideas of something I can tweak?

Bill


More information about the openssl-users mailing list