diff options
| author | Richard Levitte <levitte@openssl.org> | 2020-08-05 10:28:51 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2020-09-03 17:48:32 +0200 |
| commit | a10847c427744fb7e7d29953dee130a52251c027 (patch) | |
| tree | a009c19372810a87154460cbbebe6e106dcf88c4 /crypto/pkcs7 | |
| parent | EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() (diff) | |
| download | openssl-a10847c427744fb7e7d29953dee130a52251c027.tar.xz openssl-a10847c427744fb7e7d29953dee130a52251c027.zip | |
"Downgrade" provider-native keys to legacy where needed
Some sub-systems and openssl sub-commands do not yet deal cleanly with
purely provider-native EVP_PKEYs. We compensate that by "downgrading"
keys in select places, or ensure that the 'file:' scheme ENGINE loader
is activated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)
Diffstat (limited to 'crypto/pkcs7')
| -rw-r--r-- | crypto/pkcs7/pk7_lib.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 797d1d2c25..d891ca22e8 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -319,6 +319,17 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) goto err; + /* + * TODO(3.0) Adapt for provider-native keys + * Meanwhile, we downgrade the key. + * #legacy + */ + if (!evp_pkey_downgrade(pkey)) { + PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET, + PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + goto err; + } + /* lets keep the pkey around for a while */ EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; |