What is the correct way to use OSSL_DECODER

Milan Kaše milan.kase at gmail.com
Wed Jan 12 08:41:32 UTC 2022


By further comparing the scenario with the built-in file provider and
my external provider I found that this has something to do with
library contexts.

When x509_pubkey_ex_d2i_ex tries to decode the certificate's public
key it always uses the default library context. When loading a
certificate from a file through the default provider the
OSSL_DECODER_CTX_new_for_pkey sets up decoders in this context
correctly. However when loading a certificate from my provider the
default provider has not been activated and
OSSL_DECODER_CTX_new_for_pkey contains no decoder thus the following
DECODER_from_bio fails to decode the certificate public key.

If I "hack" my provider_init function and force load the default
provider into the default library context then things start to work.
Then I realized I can also add provider on the command line:

openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider default

and this work too.

How is this supposed to work?

Thanks,
Milan


More information about the openssl-users mailing list