ssl_key_handler: support OpenSSL 3.0 for key verification
Loading and checking of keys is one area where OpenSSL 1.0 and 3.0 are
not compatible. Many of the functions currently used in the
ssl_key_handler are deprecated in 3.0, but the APIs necessary for
conversion also do not exist in 1.0. Until OpenSSL 3.0 is widely used
in Linux distributions we therefore need to support both APIs.
Add a #define on the OPENSSL_VERSION_NUMBER to identify 3.x (or greater)
support and switch between the two API sets.
Tested: Added to a Yocto test build for the subtree update that
includes OpenSSL 3.x and confirmed Romulus QEMU test is successful.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I22bc77753bb32d1b92932f9918d64856a4e52af8
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 4578c2b..067b0dc 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -109,6 +109,7 @@
EVP_PKEY* pkey = PEM_read_PrivateKey(file, nullptr, nullptr, nullptr);
if (pkey != nullptr)
{
+#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
RSA* rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa != nullptr)
{
@@ -142,6 +143,26 @@
EC_KEY_free(ec);
}
}
+#else
+ EVP_PKEY_CTX* pkey_ctx =
+ EVP_PKEY_CTX_new_from_pkey(nullptr, pkey, nullptr);
+
+ if (!pkey_ctx)
+ {
+ std::cerr << "Unable to allocate pkey_ctx " << ERR_get_error()
+ << "\n";
+ }
+ else if (EVP_PKEY_check(pkey_ctx) == 1)
+ {
+ privateKeyValid = true;
+ }
+ else
+ {
+
+ std::cerr << "Key not valid error number " << ERR_get_error()
+ << "\n";
+ }
+#endif
if (privateKeyValid)
{
@@ -164,6 +185,9 @@
}
}
+#if (OPENSSL_VERSION_NUMBER > 0x30000000L)
+ EVP_PKEY_CTX_free(pkey_ctx);
+#endif
EVP_PKEY_free(pkey);
}
fclose(file);