Bug #5251
closed
EVP_PKEY_base_id returns 0
Added by Varun Patil over 1 year ago.
Updated 9 months ago.
Description
We use EVP_PKEY_base_id to get the key type, which is required when using HMAC signing. Latest ndn-cxx.
This might be a bug in OpenSSL. Thoughts?
The following code prints 0 for me, and HMAC signing fails.
#include <openssl/evp.h>
#include <openssl/rsa.h>
void main() {
EVP_PKEY *pkey = NULL;
unsigned char buf[32] = {1};
if (!(pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, buf, 32))) {
exit(1);
}
printf ("%d\n", EVP_PKEY_base_id(pkey));
}
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
- Category set to Security
- Start date deleted (
01/12/2023)
Yes I noticed this in #5154 and later opened #5241 because my understanding at the time was that we were improperly using openssl APIs and we needed to redesign our HMAC integration, though I may be wrong about that.
The man page for EVP_PKEY_base_id says:
The following functions are only reliable with EVP_PKEYs that have been assigned an internal key with EVP_PKEY_assign_*():
EVP_PKEY_get_id(), EVP_PKEY_get_base_id(), EVP_PKEY_type()
However, the EVP_PKEY_assign_* functions were deprecated in openssl 3.0, and in any case I don't see such a function for HMAC.
The man page for EVP_PKEY_new_raw_private_key says:
EVP_PKEY_new_raw_private_key() may also be used with most MACs implemented as public key algorithms, so key types such as "HMAC", "POLY1305", "SIPHASH", [...] are also accepted. This usage is, as mentioned above, discouraged in favor of the EVP_MAC(3) API.
The EVP_MAC API is new in openssl 3.0. This new API does not seem to use the EVP_PKEY structure; instead the key is passed as void* or char* to the relevant functions.
- Status changed from New to Code review
- Assignee set to Varun Patil
- Target version set to 0.9.0
- % Done changed from 0 to 100
- Status changed from Code review to Closed
Also available in: Atom
PDF
Updated by