EVP_PKEY_get_raw_public_key fails with OpenSSL 3.0

fus at plutonium24.de fus at plutonium24.de
Thu Nov 10 23:35:32 UTC 2022


I have been using EVP_PKEY_get_raw_public_key with OpenSSL 1.1.1 without 
any problems to extract a raw public key (secp521r1, NIST curve P-521). 
With OpenSSL 3.0 this fails. I'm using this call to get the raw public 
key and to compare it with a reference value I have and I also check 
that the group name is "secp521r1".

This is what happens:
1) as pkey->keymgmt != NULL EVP_PKEY_get_raw_public_key calls 
evp_keymgmt_util_export with selection=OSSL_KEYMGMT_SELECT_PUBLIC_KEY
2) evp_keymgmt_util_export calls evp_keymgmt_export
3) evp_keymgmt_export calls ec_export
4) ec_export fails as it does not support returning a public key without 
domain parameters (selection only contains 
OSSL_KEYMGMT_SELECT_PUBLIC_KEY)

In OpenSSL 1.1.1 the pkey->keymgmt check in the first step is not 
present and a totally different path is taken which returns the correct 
public key.

At first this seems incompatible to me. But I think it would also be 
possible that by accident I misued the function with OpenSSL 1.1.1 as 
the algorithm is also not in the list of supported algorithms for 
OpenSSL 1.1.1.

Is this the correct function call and what did I do wrong? Or: what 
would be the correct approach to get the raw key?

Regards
Frank


More information about the openssl-users mailing list