New OpenSSL 3.* API for managing EVP_PKEY objects

Jakuje · Jakuje · commit a7d173940ad1 · 2025-02-27T17:20:34.000+01:00
The OpenSSL 3.* users now do not have a way to use non-deprecated API by using this rust bindings, which is not sustainable in the long term as either distributions will stop building with the deprecated API or it will be eventually removed. This is now mostly PoC on using RSA and ECDSA keys using the new API in tests. It does not expose all possible API that are available as I did not have a good way to test the unused API yet. I do not know if this API is available in some other *SSL libraries right now so for now all of the additions are marked with #[cfg(ossl300)]. This is partially based on sfackler#2051 which was abandoned. Fixes: sfackler#2047
diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs
@@ -53,6 +53,7 @@ const INCLUDES: &str = "
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/param_build.h>
 #include <openssl/provider.h>
 #endif
 
diff --git a/openssl-sys/src/core_dispatch.rs b/openssl-sys/src/core_dispatch.rs
@@ -0,0 +1,11 @@
+use super::*;
+use libc::*;
+
+/* OpenSSL 3.* only */
+
+pub const OSSL_KEYMGMT_SELECT_PRIVATE_KEY: c_int = 0x01;
+pub const OSSL_KEYMGMT_SELECT_PUBLIC_KEY: c_int = 0x02;
+pub const OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS: c_int = 0x04;
+pub const OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS: c_int = 0x80;
+pub const OSSL_KEYMGMT_SELECT_ALL_PARAMETERS: c_int =
+    OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs
@@ -38,6 +38,15 @@ pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9;
 pub const EVP_CTRL_GCM_GET_TAG: c_int = 0x10;
 pub const EVP_CTRL_GCM_SET_TAG: c_int = 0x11;
 
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEY_PARAMETERS: c_int = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PRIVATE_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PUBLIC_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEYPAIR: c_int = EVP_PKEY_PUBLIC_KEY | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+
 pub unsafe fn EVP_get_digestbynid(type_: c_int) -> *const EVP_MD {
     EVP_get_digestbyname(OBJ_nid2sn(type_))
 }
diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs
@@ -489,6 +489,31 @@ extern "C" {
     #[cfg(any(ossl110, libressl270))]
     pub fn EVP_PKEY_up_ref(pkey: *mut EVP_PKEY) -> c_int;
 
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata_init(ctx: *mut EVP_PKEY_CTX) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata(
+        ctx: *mut EVP_PKEY_CTX,
+        ppkey: *mut *mut EVP_PKEY,
+        selection: c_int,
+        param: *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_todata(
+        ppkey: *const EVP_PKEY,
+        selection: c_int,
+        param: *mut *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_set_bn_param(
+        k: *mut EVP_PKEY,
+        key_name: *const c_char,
+        bn: *const BIGNUM,
+    ) -> c_int;
+
     pub fn d2i_AutoPrivateKey(
         a: *mut *mut EVP_PKEY,
         pp: *mut *const c_uchar,
@@ -535,6 +560,12 @@ extern "C" {
 
     pub fn EVP_PKEY_CTX_new(k: *mut EVP_PKEY, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_new_id(id: c_int, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_CTX_new_from_name(
+        libctx: *mut OSSL_LIB_CTX,
+        name: *const c_char,
+        propquery: *const c_char,
+    ) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_free(ctx: *mut EVP_PKEY_CTX);
 
     pub fn EVP_PKEY_CTX_ctrl(
diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs
@@ -15,6 +15,9 @@ pub use self::hmac::*;
 pub use self::kdf::*;
 pub use self::object::*;
 pub use self::ocsp::*;
+#[cfg(ossl300)]
+pub use self::param_build::*;
+#[cfg(ossl300)]
 pub use self::params::*;
 pub use self::pem::*;
 pub use self::pkcs12::*;
@@ -54,6 +57,9 @@ mod hmac;
 mod kdf;
 mod object;
 mod ocsp;
+#[cfg(ossl300)]
+mod param_build;
+#[cfg(ossl300)]
 mod params;
 mod pem;
 mod pkcs12;
diff --git a/openssl-sys/src/handwritten/param_build.rs b/openssl-sys/src/handwritten/param_build.rs
@@ -0,0 +1,27 @@
+use super::super::*;
+use libc::*;
+
+/* OpenSSL 3.* only */
+
+extern "C" {
+    pub fn OSSL_PARAM_BLD_new() -> *mut OSSL_PARAM_BLD;
+    pub fn OSSL_PARAM_BLD_free(bld: *mut OSSL_PARAM_BLD);
+    pub fn OSSL_PARAM_BLD_push_BN(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        bn: *const BIGNUM,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_push_utf8_string(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        buf: *const c_char,
+        bsize: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_push_octet_string(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        buf: *const c_void,
+        bsize: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_to_param(bld: *mut OSSL_PARAM_BLD) -> *mut OSSL_PARAM;
+}
diff --git a/openssl-sys/src/handwritten/params.rs b/openssl-sys/src/handwritten/params.rs
@@ -2,15 +2,32 @@ use super::super::*;
 use libc::*;
 
 extern "C" {
-    #[cfg(ossl300)]
+    pub fn OSSL_PARAM_free(p: *mut OSSL_PARAM);
     pub fn OSSL_PARAM_construct_uint(key: *const c_char, buf: *mut c_uint) -> OSSL_PARAM;
-    #[cfg(ossl300)]
     pub fn OSSL_PARAM_construct_end() -> OSSL_PARAM;
-    #[cfg(ossl300)]
     pub fn OSSL_PARAM_construct_octet_string(
         key: *const c_char,
         buf: *mut c_void,
         bsize: size_t,
     ) -> OSSL_PARAM;
 
+    pub fn OSSL_PARAM_locate(p: *mut OSSL_PARAM, key: *const c_char) -> *mut OSSL_PARAM;
+    pub fn OSSL_PARAM_get_BN(p: *const OSSL_PARAM, val: *mut *mut BIGNUM) -> c_int;
+    pub fn OSSL_PARAM_get_utf8_string(
+        p: *const OSSL_PARAM,
+        val: *mut *mut c_char,
+        max_len: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_get_utf8_string_ptr(p: *const OSSL_PARAM, val: *mut *const c_char) -> c_int;
+    pub fn OSSL_PARAM_get_octet_string(
+        p: *const OSSL_PARAM,
+        val: *mut *mut c_void,
+        max_len: usize,
+        used_len: *mut usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_get_octet_string_ptr(
+        p: *const OSSL_PARAM,
+        val: *mut *const c_void,
+        used_len: *mut usize,
+    ) -> c_int;
 }
diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs
@@ -1140,6 +1140,9 @@ pub struct OSSL_PARAM {
     return_size: size_t,
 }
 
+#[cfg(ossl300)]
+pub enum OSSL_PARAM_BLD {}
+
 #[cfg(ossl300)]
 pub enum EVP_KDF {}
 #[cfg(ossl300)]
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
@@ -45,6 +45,8 @@ mod openssl {
     pub use self::bio::*;
     pub use self::bn::*;
     pub use self::cms::*;
+    #[cfg(ossl300)]
+    pub use self::core_dispatch::*;
     pub use self::crypto::*;
     pub use self::dtls1::*;
     pub use self::ec::*;
@@ -75,6 +77,8 @@ mod openssl {
     mod bio;
     mod bn;
     mod cms;
+    #[cfg(ossl300)]
+    mod core_dispatch;
     mod crypto;
     mod dtls1;
     mod ec;
diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs
@@ -177,6 +177,8 @@ pub mod memcmp;
 pub mod nid;
 #[cfg(not(osslconf = "OPENSSL_NO_OCSP"))]
 pub mod ocsp;
+#[cfg(ossl300)]
+pub mod ossl_param;
 pub mod pkcs12;
 pub mod pkcs5;
 #[cfg(not(boringssl))]
diff --git a/openssl/src/ossl_param.rs b/openssl/src/ossl_param.rs
diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs
diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs
diff --git a/systest/build.rs b/systest/build.rs

Original file line number	Diff line number	Diff line change
`@@ -1140,6 +1140,9 @@ pub struct OSSL_PARAM {`
`1140`	`1140`	`return_size: size_t,`
`1141`	`1141`	`}`
`1142`	`1142`
	`1143`	`+#[cfg(ossl300)]`
	`1144`	`+pub enum OSSL_PARAM_BLD {}`
	`1145`	`+`
`1143`	`1146`	`#[cfg(ossl300)]`
`1144`	`1147`	`pub enum EVP_KDF {}`
`1145`	`1148`	`#[cfg(ossl300)]`