[openssl-dev] X509_PUBKEY_set pkey breaking changes in 1.1
Jakub Zelenka
jakub.openssl at gmail.com
Sun Oct 2 18:18:19 UTC 2016
Hi,
I've ported PHP to work with OpenSSL 1.1 which is part of upcoming 7.1
release. Everything seems to work fine, we have got just last 2 failing
tests in openssl extension. One of them is caused changes
in X509_PUBKEY_set.
We have got a function to create a cert request (X509_REQ) called
openssl_csr_new which except other things set a supplied private key using
X509_REQ_set_pubkey which basically just passes it to X509_PUBKEY_set. The
break for us then happen when a user calls openssl_csr_get_public_key which
calls X509_REQ_get_pubkey . The reason for that is that OpenSSL 1.1 stores
a supplied pkey instead of just decoding it to pubkey which was done
previously. The change is in this commit:
https://goo.gl/FvOnjn
The question that I have is if this change has been done on purpose and
from version 1.1, we must pass just the pub key (basically extract it from
private key) if we don't want to show private key later? The reason why I'm
asking is that the only note about that in CHANGES is from 0.9.5 when it
was introduced:
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
fix a leak when the ca argument was passed as NULL. Stop
X509_PUBKEY_set()
using the passed key: if the passed key was a private key the result
of X509_print(), for example, would be to print out all the private key
components.
[Steve Henson]
Thanks
Jakub
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161002/dfbeaf7a/attachment.html>
More information about the openssl-dev
mailing list