OSSL_DECODER_CTX_new_for_pkey can't find decoder
Matt Caswell
matt at openssl.org
Mon Oct 25 10:02:20 UTC 2021
On 25/10/2021 10:51, Alex Dankow wrote:
> Hi everyone,
>
> I'm writing a provider for Windows certificates.
> It generally works like this
>
> openssl x509 -in "myuri ......" -provider mytest -text
>
> OpenSSL fetches a DER encoded certificate from my STORE and prints it.
> However it doesn't print the public key itself.
> The code in x_pubkey.c near OSSL_DECODER_CTX_new_for_pkey "DER",
> "SubjectPublicKeyInfo" fails to find a decoder. The rest is decoded by
> OpenSSL
>
> But if I add provider "default" in the command line:
> openssl x509 -in "myuri ......" -provider mytest -provider default -text
> It works completely.
>
> Am I missing something or is it a bug ?
This is correct behaviour. From the crypto man page:
'If you don't load any providers at all then the "default" provider will be
automatically loaded. If you explicitly load any provider then the "default"
provider would also need to be explicitly loaded if it is required.'
https://www.openssl.org/docs/man3.0/man7/crypto.html
Also mentioned on the default provider man page:
'If an attempt to load a provider has already been made (whether
successful or not) then the default provider won't be loaded
automatically. Therefore if the default provider is to be used in
conjunction with other providers then it must be loaded explicitly.
Automatic loading of the default provider only occurs a maximum of once;
if the default provider is explicitly unloaded then the default provider
will not be automatically loaded again.'
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-default.html
And on the config file man page:
'If no providers are activated explicitly, the default one is activated
implicitly. See OSSL_PROVIDER-default(7) for more details.
If you add a section explicitly activating any other provider(s), you
most probably need to explicitly activate the default provider,
otherwise it becomes unavailable in openssl. It may make the system
remotely unavailable.'
https://www.openssl.org/docs/man3.0/man5/config.html
Matt
More information about the openssl-users
mailing list