OSSL_DECODER_CTX_new_for_pkey can't find decoder

Matt Caswell matt at openssl.org
Mon Oct 25 10:02:20 UTC 2021



On 25/10/2021 10:51, Alex Dankow wrote:
> Hi everyone,
> 
> I'm writing a provider for Windows certificates.
> It generally works like this
> 
> openssl x509 -in "myuri ......" -provider mytest -text
> 
> OpenSSL fetches a DER encoded certificate from my STORE and prints it.
> However it doesn't print the public key itself.
> The code in x_pubkey.c near OSSL_DECODER_CTX_new_for_pkey "DER", 
> "SubjectPublicKeyInfo" fails to find a decoder. The rest is decoded by 
> OpenSSL
> 
> But if I add provider "default" in the command line:
> openssl x509 -in "myuri ......" -provider mytest -provider default -text
> It works completely.
> 
> Am I missing something or  is it a bug ?

This is correct behaviour. From the crypto man page:

'If you don't load any providers at all then the "default" provider will be
automatically loaded. If you explicitly load any provider then the "default"
provider would also need to be explicitly loaded if it is required.'

https://www.openssl.org/docs/man3.0/man7/crypto.html

Also mentioned on the default provider man page:

'If an attempt to load a provider has already been made (whether 
successful or not) then the default provider won't be loaded 
automatically. Therefore if the default provider is to be used in 
conjunction with other providers then it must be loaded explicitly. 
Automatic loading of the default provider only occurs a maximum of once; 
if the default provider is explicitly unloaded then the default provider 
will not be automatically loaded again.'

https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-default.html

And on the config file man page:

'If no providers are activated explicitly, the default one is activated 
implicitly. See OSSL_PROVIDER-default(7) for more details.

If you add a section explicitly activating any other provider(s), you 
most probably need to explicitly activate the default provider, 
otherwise it becomes unavailable in openssl. It may make the system 
remotely unavailable.'

https://www.openssl.org/docs/man3.0/man5/config.html


Matt


More information about the openssl-users mailing list