X509_get_pubkey() in OpenSSL 3.0?

Selva Nair selva.nair at gmail.com
Tue Nov 2 21:00:22 UTC 2021

On Tue, Nov 2, 2021 at 3:42 PM Jason Schultz <jetson23 at hotmail.com> wrote:

> I thought I should start a new thread since this question was buried in my
> "FIPS" thread and I dont' think it has anything to do with FIPS and OpenSSL
> providers. I'm hitting another problem that I think is related to the
> migration to OpenSSL 3.0, as this code works with OpenSSL 1.1.1 (and 1.0.2
> before it). When looking at the documentation pages for 1.1.1 vs 3.0, I'm
> not seeing any differences between the OpenSSL APIs I'm calling in the 2
> different release levels.
> Here is the sequence, I'm basically setting up my certificate and private
> key, both in PEM format, for the server, then I need to extract some
> information from them:
>     ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
>     SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
>     SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);
>     fp = fopen(<certfile>, "r");
>     mycert = PEM_read_X509(fp, NULL, 0, NULL)

All functions return good statuses or non-NULL pointers until the last one,
> X509_get_pubkey() returns NULL.

You probably do not have any providers loaded in the default libctx (NULL).
As the first 4 calls have succeeded, non_fips_libctx does have a working

Check your code for what is stopping default provider getting auto-loaded
into the default libctx (config file misconfiguration or explicit provider
loading?). Or try the following after successfully loading the cert to the
SSL context (ctx):

X509 cert = SSL_CTX_get0_certificate(ctx);
EVP_PKEY pkey = X509_get_pubkey(cert);

This should work as the decoding will happen in non_fips_libctx.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211102/fc023065/attachment-0001.html>

More information about the openssl-users mailing list