[openssl/openssl] f11f24: Restore the meaning of EVP_PKEY_print_private()

Richard Levitte noreply at github.com
Wed Oct 4 06:17:28 UTC 2023 

  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: f11f24e79ddcb6f3567cf36ceeafe2c713b566f8
      https://github.com/openssl/openssl/commit/f11f24e79ddcb6f3567cf36ceeafe2c713b566f8
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2023-10-04 (Wed, 04 Oct 2023)

  Changed paths:
    M crypto/evp/p_lib.c
    M include/openssl/evp.h
    M providers/implementations/encode_decode/encode_key2text.c

  Log Message:
  -----------
  Restore the meaning of EVP_PKEY_print_private()

With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD
function "priv_print", effectively asking the backend to print whatever it
regards as private key components.

In all backends that were built into libcrypto, this function printed what
was included in the private key structure, which usually includes the
public key components as well.

With OpenSSL 3.0, some of the corresponding key2text encoders got a
slightly different behavior, where the presence of the selector
OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector
OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be
regarded as private key components printed.  This isn't entirely consistent,
though, as the RSA key2text encoder will still print the public key
components regardless.

To compensate for the changed backend behavior, EVP_PKEY_print_private()
was made to ask the encoder to print the keypair rather than just the
private key, thereby moving the backend semantics to the application API.
Unfortunately, this causes confusion for providers where the key2text
encoder really should print the private key only.

This change restores the built-in 1.1.1 backend behavior in the encoders
that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its
documented behavior, leaving it to the backend to decide what it regards as
"private key components".

Fixes #22233

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22237)

(cherry picked from commit 1296c2ec7866a4f2f4d210432c771142e8de33a0)

More information about the openssl-commits mailing list