Order of providers breaks my keymgmt

Mon Jan 17 08:36:53 UTC 2022

Hi,
I successfully implemented OpenSSL v3 provider which provides store
and keymgmt and I can use it to sign a cms with the following command:

openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider default

However when I swap the order of providers (in the real world scenario
the providers are configured through the configuration file), i.e.

openssl cms -sign -signer myprov:cert=0014 -provider default -provider myprov

the command stops working.

I return the private key from the store through the reference:

int construct_ec_key(LOADER_CTX *myloader, OSSL_CALLBACK *object_cb,
void *object_cbarg) {
    static const int object_type = OSSL_OBJECT_PKEY;
    static const char data_type[] = "EC";
    KEYREF ref = { 0, };
    OSSL_PARAM objparams[] = {
        OSSL_PARAM_int(OSSL_OBJECT_PARAM_TYPE, (int *)&object_type),
        OSSL_PARAM_octet_string(OSSL_OBJECT_PARAM_REFERENCE, &ref, sizeof(ref)),
        OSSL_PARAM_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, (char
*)data_type, COUNTOF(data_type) - 1),
        OSSL_PARAM_END,
    };
    return object_cb(objparams, object_cbarg);
}

The try_key_ref function then tries to transform data from the store
into the EVP_PKEY. It first looks up a keymgmt that can handle the
"EC" data type. Since the default provider is the first one that can
do that it is selected. It then tries to export data from my keymgmt
and import it into the selected default keymgmt. But obviously I can't
export the private key and the operation fails.

When my provider is activated before the default one then everything
works because the EVP_PKEY is constructed from my keymgmt.

What am I doing wrong? Shouldn't OpenSSL first try to construct
EVP_PKEY from the provider it actually returned the data? Is there a
way to force OpenSSL to use the specified provider (some property
"provider=myprov")?

Thanks,
Milan