X509_PUBKEY_set pkey breaking changes in 1.1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

X509_PUBKEY_set pkey breaking changes in 1.1

Jakub Zelenka

I've ported PHP to work with OpenSSL 1.1 which is part of upcoming 7.1 release. Everything seems to work fine, we have got just last 2 failing tests in openssl extension. One of them is caused changes in X509_PUBKEY_set.

We have got a function to create a cert request (X509_REQ) called openssl_csr_new which except other things set a supplied private key using X509_REQ_set_pubkey which basically just passes it to X509_PUBKEY_set. The break for us then happen when a user calls openssl_csr_get_public_key which calls X509_REQ_get_pubkey . The reason for that is that OpenSSL 1.1 stores a supplied pkey instead of just decoding it to pubkey which was done previously. The change is in this commit:

The question that I have is if this change has been done on purpose and from version 1.1, we must pass just the pub key (basically extract it from private key) if we don't want to show private key later? The reason why I'm asking is that the only note about that in CHANGES is from 0.9.5 when it was introduced:

  *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
     fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
     using the passed key: if the passed key was a private key the result
     of X509_print(), for example, would be to print out all the private key
     [Steve Henson]



openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev