EVP_PKEY_fromdata_init returns unsupported.

Matt Caswell matt at openssl.org
Mon Feb 28 08:58:47 UTC 2022

On 25/02/2022 22:07, William Roberts wrote:
> Hello,
> In openssl 3.0.1 the following code hits the ctx->keymgt is null check
> and thus returns -2
> in pmeth_gn.c:
> static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
> {
>      if (ctx == NULL || ctx->keytype == NULL)
>          goto not_supported;
>      evp_pkey_ctx_free_old_ops(ctx);
>      if (ctx->keymgmt == NULL)
>          goto not_supported;
> The callpath comes in from EVP_PKEY_fromdata_init:
> libctx = OSSL_LIB_CTX_new()
> genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL);

My guess is EVP_PKEY_CTX_new_from_name() is finding a default engine 
implementation for RSA. You might like to step through 
EVP_PKEY_CTX_new_from_name in the debugger (actually int_ctx_new in 
crypto/evp/pmeth_lib.c) and see if the "e" variable ever gets associated 
with an engine.

If an engine is being found then the EVP_PKEY_CTX will use that engine 
implementation for all subsequent RSA operations. EVP_PKEY_fromdata will 
only work with provider based implementations (we should make that 
explicit in the documentation) - hence it will fail.


> int rc = EVP_PKEY_fromdata_init(genctx);
> I have no idea why it returns unsupported... any ideas?
> I also tried replacing EVP_PKEY_CTX_new_from_name  with
> EVP_PKEY_CTX_new_id, same error.
> Thanks,
> Bill

More information about the openssl-users mailing list