"Downgrade" provider-native keys to legacy where needed

Some sub-systems and openssl sub-commands do not yet deal cleanly with purely provider-native EVP_PKEYs. We compensate that by "downgrading" keys in select places, or ensure that the 'file:' scheme ENGINE loader is activated. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12587)
author: Richard Levitte <levitte@openssl.org> 2020-08-05 10:28:51 +0200
committer: Richard Levitte <levitte@openssl.org> 2020-09-03 17:48:32 +0200
commit: a10847c427744fb7e7d29953dee130a52251c027 (patch)
tree: a009c19372810a87154460cbbebe6e106dcf88c4 /crypto/pkcs7
parent: b5275648843ace1a441521823913ccbbebb8769c (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 797d1d2c25..d891ca22e8 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -319,6 +319,17 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
           ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
         goto err;
 
+    /*
+     * TODO(3.0) Adapt for provider-native keys
+     * Meanwhile, we downgrade the key.
+     * #legacy
+     */
+    if (!evp_pkey_downgrade(pkey)) {
+        PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET,
+                 PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+        goto err;
+    }
+
     /* lets keep the pkey around for a while */
     EVP_PKEY_up_ref(pkey);
     p7i->pkey = pkey;
author	Richard Levitte <levitte@openssl.org>	2020-08-05 10:28:51 +0200
committer	Richard Levitte <levitte@openssl.org>	2020-09-03 17:48:32 +0200
commit	a10847c427744fb7e7d29953dee130a52251c027 (patch)
tree	a009c19372810a87154460cbbebe6e106dcf88c4 /crypto/pkcs7
parent	b5275648843ace1a441521823913ccbbebb8769c (diff)