Use the new OpenSSL 3.* API for managing EVP_PKEY

The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Signed-off-by: Jakub Jelen <[email protected]>

Author: Jakuje

openssl-sys/src/core_dispatch.rs

@@ -0,0 +1,11 @@
+use super::*;
+use libc::*;
+
+/* OpenSSL 3.* only */
+
+pub const OSSL_KEYMGMT_SELECT_PRIVATE_KEY: c_int = 0x01;
+pub const OSSL_KEYMGMT_SELECT_PUBLIC_KEY: c_int = 0x02;
+pub const OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS: c_int = 0x04;
+pub const OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS: c_int = 0x80;
+pub const OSSL_KEYMGMT_SELECT_ALL_PARAMETERS: c_int =
+    OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;

openssl-sys/src/evp.rs

@@ -38,6 +38,15 @@ pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9;
 pub const EVP_CTRL_GCM_GET_TAG: c_int = 0x10;
 pub const EVP_CTRL_GCM_SET_TAG: c_int = 0x11;
 
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEY_PARAMETERS: c_int = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PRIVATE_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PUBLIC_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEYPAIR: c_int = EVP_PKEY_PUBLIC_KEY | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+
 pub unsafe fn EVP_get_digestbynid(type_: c_int) -> *const EVP_MD {
     EVP_get_digestbyname(OBJ_nid2sn(type_))
 }

openssl-sys/src/handwritten/evp.rs

@@ -489,6 +489,27 @@ extern "C" {
     #[cfg(any(ossl110, libressl270))]
     pub fn EVP_PKEY_up_ref(pkey: *mut EVP_PKEY) -> c_int;
 
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata_init(ctx: *mut EVP_PKEY_CTX) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata(
+        ctx: *mut EVP_PKEY_CTX,
+        ppkey: *mut *mut EVP_PKEY,
+        selection: c_int,
+        param: *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_todata(
+        ppkey: *const EVP_PKEY,
+        selection: c_int,
+        param: *mut *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_generate(ctx: *mut EVP_PKEY_CTX, k: *mut *mut EVP_PKEY) -> c_int;
+
     pub fn d2i_AutoPrivateKey(
         a: *mut *mut EVP_PKEY,
         pp: *mut *const c_uchar,
@@ -535,6 +556,12 @@ extern "C" {
 
     pub fn EVP_PKEY_CTX_new(k: *mut EVP_PKEY, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_new_id(id: c_int, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_CTX_new_from_name(
+        libctx: *mut OSSL_LIB_CTX,
+        name: *const c_char,
+        propquery: *const c_char,
+    ) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_free(ctx: *mut EVP_PKEY_CTX);
 
     pub fn EVP_PKEY_CTX_ctrl(

openssl-sys/src/lib.rs

@@ -42,6 +42,8 @@ mod openssl {
     pub use self::bio::*;
     pub use self::bn::*;
     pub use self::cms::*;
+    #[cfg(ossl300)]
+    pub use self::core_dispatch::*;
     pub use self::crypto::*;
     pub use self::dtls1::*;
     pub use self::ec::*;
@@ -72,6 +74,8 @@ mod openssl {
     mod bio;
     mod bn;
     mod cms;
+    #[cfg(ossl300)]
+    mod core_dispatch;
     mod crypto;
     mod dtls1;
     mod ec;

openssl/src/lib.rs

@@ -186,6 +186,8 @@ pub mod pkcs7;
 pub mod pkey;
 pub mod pkey_ctx;
 #[cfg(ossl300)]
+pub mod pkey_rsa;
+#[cfg(ossl300)]
 pub mod provider;
 pub mod rand;
 pub mod rsa;

openssl/src/pkey_ctx.rs

@@ -67,6 +67,8 @@ let cmac_key = ctx.keygen().unwrap();
 #[cfg(not(boringssl))]
 use crate::cipher::CipherRef;
 use crate::error::ErrorStack;
+#[cfg(ossl300)]
+use crate::lib_ctx::LibCtxRef;
 use crate::md::MdRef;
 use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private};
 use crate::rsa::Padding;
@@ -81,6 +83,8 @@ use openssl_macros::corresponds;
 use std::convert::TryFrom;
 #[cfg(ossl320)]
 use std::ffi::CStr;
+#[cfg(ossl300)]
+use std::ffi::CString;
 use std::ptr;
 
 /// HKDF modes of operation.
@@ -156,6 +160,26 @@ impl PkeyCtx<()> {
             Ok(PkeyCtx::from_ptr(ptr))
         }
     }
+
+    /// Creates a new pkey context from the algorithm name.
+    #[corresponds(EVP_PKEY_CTX_new_from_name)]
+    #[cfg(ossl300)]
+    pub fn new_from_name(
+        libctx: Option<&LibCtxRef>,
+        name: &str,
+        propquery: Option<&str>,
+    ) -> Result<Self, ErrorStack> {
+        unsafe {
+            let propquery = propquery.map(|s| CString::new(s).unwrap());
+            let name = CString::new(name).unwrap();
+            let ptr = cvt_p(ffi::EVP_PKEY_CTX_new_from_name(
+                libctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
+                name.as_ptr(),
+                propquery.map_or(ptr::null_mut(), |s| s.as_ptr()),
+            ))?;
+            Ok(PkeyCtx::from_ptr(ptr))
+        }
+    }
 }
 
 impl<T> PkeyCtxRef<T>
@@ -756,6 +780,20 @@ impl<T> PkeyCtxRef<T> {
         Ok(())
     }
 
+    /// Generates a new public/private keypair.
+    ///
+    /// New OpenSSL 3.0 function, that should do the same thing as keygen()
+    #[corresponds(EVP_PKEY_generate)]
+    #[cfg(ossl300)]
+    #[inline]
+    pub fn generate(&mut self) -> Result<PKey<Private>, ErrorStack> {
+        unsafe {
+            let mut key = ptr::null_mut();
+            cvt(ffi::EVP_PKEY_generate(self.as_ptr(), &mut key))?;
+            Ok(PKey::from_ptr(key))
+        }
+    }
+
     /// Gets the nonce type for a private key context.
     ///
     /// The nonce for DSA and ECDSA can be either random (the default) or deterministic (as defined by RFC 6979).
@@ -780,6 +818,14 @@ impl<T> PkeyCtxRef<T> {
         }
         Ok(NonceType(nonce_type))
     }
+
+    /// Initializes a conversion from `OsslParam` to `PKey` on given `PkeyCtx`.
+    #[corresponds(EVP_PKEY_fromdata_init)]
+    #[cfg(ossl300)]
+    pub fn fromdata_init(&mut self) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::EVP_PKEY_fromdata_init(self.as_ptr()))? };
+        Ok(())
+    }
 }
 
 #[cfg(test)]
@@ -1107,4 +1153,14 @@ mxJ7imIrEg9nIQ==
         assert_eq!(output, expected_output);
         assert!(ErrorStack::get().errors().is_empty());
     }
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_pkeyctx_from_name() {
+        let lib_ctx = crate::lib_ctx::LibCtx::new().unwrap();
+        let _: PkeyCtx<()> = PkeyCtx::new_from_name(Some(lib_ctx.as_ref()), "RSA", None).unwrap();
+
+        /* no libctx is ok */
+        let _: PkeyCtx<()> = PkeyCtx::new_from_name(None, "RSA", None).unwrap();
+    }
 }