Only use the legacy route to decode a public key if we have to

We should use a provider to decode a SubjectPublicKeyInfo structure if we can. We should only use the legacy route if we are forcing legacy, or if an ENGINE is in use. Fixes #15393 Fixes #15327 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15504)
2025-01-18 13:44:20 +08:00 · 2021-05-27 16:48:37 +01:00 · 2021-05-27 16:48:37 +01:00 · 29bf83c889
commit 29bf83c889
parent f8da1d8005
1 changed files with 19 additions and 2 deletions
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@ -17,6 +17,7 @@
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include <openssl/engine.h>
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
 #include "crypto/x509.h"
@ -362,14 +363,30 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 */
 static int x509_pubkey_decode(EVP_PKEY **ppkey, const X509_PUBKEY *key)
 {
-    EVP_PKEY *pkey = EVP_PKEY_new();
+    EVP_PKEY *pkey;
+    int nid;

+    nid = OBJ_obj2nid(key->algor->algorithm);
+    if (!key->flag_force_legacy) {
+#ifndef OPENSSL_NO_ENGINE
+        ENGINE *e = NULL;
+
+        e = ENGINE_get_pkey_meth_engine(nid);
+        if (e == NULL)
+            return 0;
+        ENGINE_finish(e);
+#else
+        return 0;
+#endif
+    }
+
+    pkey = EVP_PKEY_new();
    if (pkey == NULL) {
        ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
        return -1;
    }

-    if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(key->algor->algorithm))) {
+    if (!EVP_PKEY_set_type(pkey, nid)) {
        ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM);
        goto error;
    }