Deprecate RSA harder

This deprecates all functions that deal with the types RSA and RSA_METHOD

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13096)

4 files changed, 57 insertions, 35 deletions

diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c
index 1bdbda79fa..6fd7b356cd 100644
--- a/test/endecoder_legacy_test.c
+++ b/test/endecoder_legacy_test.c
@@ -35,6 +35,12 @@
 
 #include <stdlib.h>
 #include <string.h>
+
+/*
+ * We test deprecated functions, so we need to suppress deprecation warnings.
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index e0f6af1f06..e2f78f1496 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -18,16 +18,17 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/kdf.h>
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>
+#include <openssl/param_build.h>
 #include <openssl/dsa.h>
 #include <openssl/dh.h>
 #include <openssl/aes.h>
+#include <openssl/decoder.h>
 #include "testutil.h"
 #include "internal/nelem.h"
 #include "internal/sizes.h"
@@ -410,28 +411,25 @@ static APK_DATA keycheckdata[] = {
 #endif
 };
 
-static EVP_PKEY *load_example_rsa_key(void)
+static EVP_PKEY *load_example_key(const char *keytype,
+                                  const unsigned char *data, size_t data_len)
 {
-    EVP_PKEY *ret = NULL;
-    const unsigned char *derp = kExampleRSAKeyDER;
+    const unsigned char **pdata = &data;
     EVP_PKEY *pkey = NULL;
-    RSA *rsa = NULL;
-
-    if (!TEST_true(d2i_RSAPrivateKey(&rsa, &derp, sizeof(kExampleRSAKeyDER))))
-        return NULL;
-
-    if (!TEST_ptr(pkey = EVP_PKEY_new())
-            || !TEST_true(EVP_PKEY_set1_RSA(pkey, rsa)))
-        goto end;
+    OSSL_DECODER_CTX *dctx =
+        OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey, "DER", NULL, keytype, 0,
+                                         testctx, NULL);
 
-    ret = pkey;
-    pkey = NULL;
-
-end:
-    EVP_PKEY_free(pkey);
-    RSA_free(rsa);
+    /* |pkey| will be NULL on error */
+    (void)OSSL_DECODER_from_data(dctx, pdata, &data_len);
+    OSSL_DECODER_CTX_free(dctx);
+    return pkey;
+}
 
-    return ret;
+static EVP_PKEY *load_example_rsa_key(void)
+{
+    return load_example_key("RSA", kExampleRSAKeyDER,
+                            sizeof(kExampleRSAKeyDER));
 }
 
 #ifndef OPENSSL_NO_DSA
@@ -1690,8 +1688,10 @@ static int test_DSA_get_set_params(void)
 
 static int test_RSA_get_set_params(void)
 {
-    RSA *rsa = NULL;
+    OSSL_PARAM_BLD *bld = NULL;
+    OSSL_PARAM *params = NULL;
     BIGNUM *n = NULL, *e = NULL, *d = NULL;
+    EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY *pkey = NULL;
     int ret = 0;
 
@@ -1699,30 +1699,33 @@ static int test_RSA_get_set_params(void)
      * Setup the parameters for our RSA object. For our purposes they don't
      * have to actually be *valid* parameters. We just need to set something.
      */
-    rsa = RSA_new();
-    n = BN_new();
-    e = BN_new();
-    d = BN_new();
-    if (!TEST_ptr(rsa)
-            || !TEST_ptr(n)
-            || !TEST_ptr(e)
-            || !TEST_ptr(d)
-        || !RSA_set0_key(rsa, n, e, d))
+    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA", NULL))
+        || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
+        || !TEST_ptr(n = BN_new())
+        || !TEST_ptr(e = BN_new())
+        || !TEST_ptr(d = BN_new()))
+        goto err;
+    if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
+        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
+        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)))
+        goto err;
+    if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
         goto err;
-    n = e = d = NULL;
 
-    pkey = EVP_PKEY_new();
-    if (!TEST_ptr(pkey)
-            || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa)))
+    if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0)
+        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0))
         goto err;
 
-    rsa = NULL;
+    if (!TEST_ptr(pkey))
+        goto err;
 
     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
 
  err:
     EVP_PKEY_free(pkey);
-    RSA_free(rsa);
+    EVP_PKEY_CTX_free(pctx);
+    OSSL_PARAM_BLD_free_params(params);
+    OSSL_PARAM_BLD_free(bld);
     BN_free(n);
     BN_free(e);
     BN_free(d);
diff --git a/test/keymgmt_internal_test.c b/test/keymgmt_internal_test.c
index 596019d294..77414dbc27 100644
--- a/test/keymgmt_internal_test.c
+++ b/test/keymgmt_internal_test.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 
 #include <openssl/bio.h>
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index 72451b37ca..94369ce701 100644
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 
@@ -215,6 +221,7 @@ static int test_check_prime_factor(void)
     return ret;
 }
 
+/* This test uses legacy functions because they can take invalid numbers */
 static int test_check_private_exponent(void)
 {
     int ret = 0;