<div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 2, 2021 at 3:42 PM Jason Schultz <<a href="mailto:jetson23@hotmail.com" target="_blank">jetson23@hotmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<span style="margin:0px;font-size:12pt">I thought I should start a new thread since this question was buried in my "FIPS" thread and I dont' think it has anything to do with FIPS and OpenSSL providers. I'm hitting another problem that I think is related to
the migration to OpenSSL 3.0, as this code works with OpenSSL 1.1.1 (and 1.0.2 before it). When looking at the documentation pages for 1.1.1 vs 3.0, I'm not seeing any differences between the OpenSSL APIs I'm calling in the 2 different release levels. </span>
<div style="margin:0px;font-size:12pt"><br>
</div>
<div style="margin:0px;font-size:12pt">Here is the sequence, I'm basically setting up my certificate and private key, both in PEM format, for the server, then I need to extract some information from them:</div>
<div style="margin:0px;font-size:12pt"><br>
</div>
<div style="margin:0px;font-size:12pt"> ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());</div>
<div style="margin:0px">
<div style="margin:0px"></div>
<div style="margin:0px;font-size:12pt"> SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);</div>
<div style="margin:0px;font-size:12pt"> <span style="font-size:12pt">SSL_CTX_use_certificate_</span><span style="font-size:12pt">file(ctx,<certfile>,SSL_</span><span style="font-size:12pt">FILETYPE_PEM);</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)"> </span></div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div style="margin:0px">
<div style="margin:0px;font-size:12pt"> SSL_CTX_check_private_key(ctx);<br>
</div>
<div style="margin:0px;font-size:12pt"> fp = fopen(<certfile>, "r");</div>
<div style="margin:0px;font-size:12pt"> mycert = PEM_read_X509(fp, NULL, 0, NULL)</div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div style="margin:0px">
<div style="margin:0px;font-size:12pt"> </div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div style="margin:0px">
<div style="margin:0px;font-size:12pt">All functions return good statuses or non-NULL pointers until the last one, X509_get_pubkey() returns NULL.</div></div></div></div></blockquote><div><br></div><div>You probably do not have any providers loaded in the default libctx (NULL). As the first 4 calls have succeeded, non_fips_libctx does have a working provider. </div><div><br></div><div>Check your code for what is stopping default provider getting auto-loaded into the default libctx (config file misconfiguration or explicit provider loading?). Or try the following after successfully loading the cert to the SSL context (ctx):</div><div><br></div><div>X509 cert = SSL_CTX_get0_certificate(ctx);</div><div>EVP_PKEY pkey = X509_get_pubkey(cert);</div><div><br></div><div>This should work as the decoding will happen in non_fips_libctx.</div><div><br></div><div>Selva</div></div></div>