Use the new OpenSSL 3.* API for managing EVP_PKEY

The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047

Author: Jakuje

openssl-sys/build/run_bindgen.rs

@@ -53,6 +53,7 @@ const INCLUDES: &str = "
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x30000000
+#include <openssl/param_build.h>
 #include <openssl/provider.h>
 #endif
 

openssl-sys/src/core_dispatch.rs

@@ -0,0 +1,11 @@
+use super::*;
+use libc::*;
+
+/* OpenSSL 3.* only */
+
+pub const OSSL_KEYMGMT_SELECT_PRIVATE_KEY: c_int = 0x01;
+pub const OSSL_KEYMGMT_SELECT_PUBLIC_KEY: c_int = 0x02;
+pub const OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS: c_int = 0x04;
+pub const OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS: c_int = 0x80;
+pub const OSSL_KEYMGMT_SELECT_ALL_PARAMETERS: c_int =
+    OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;

openssl-sys/src/evp.rs

@@ -38,6 +38,15 @@ pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9;
 pub const EVP_CTRL_GCM_GET_TAG: c_int = 0x10;
 pub const EVP_CTRL_GCM_SET_TAG: c_int = 0x11;
 
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEY_PARAMETERS: c_int = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PRIVATE_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_PUBLIC_KEY: c_int = EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+#[cfg(ossl300)]
+pub const EVP_PKEY_KEYPAIR: c_int = EVP_PKEY_PUBLIC_KEY | OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+
 pub unsafe fn EVP_get_digestbynid(type_: c_int) -> *const EVP_MD {
     EVP_get_digestbyname(OBJ_nid2sn(type_))
 }

openssl-sys/src/handwritten/evp.rs

@@ -489,6 +489,27 @@ extern "C" {
     #[cfg(any(ossl110, libressl270))]
     pub fn EVP_PKEY_up_ref(pkey: *mut EVP_PKEY) -> c_int;
 
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata_init(ctx: *mut EVP_PKEY_CTX) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_fromdata(
+        ctx: *mut EVP_PKEY_CTX,
+        ppkey: *mut *mut EVP_PKEY,
+        selection: c_int,
+        param: *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_todata(
+        ppkey: *const EVP_PKEY,
+        selection: c_int,
+        param: *mut *mut OSSL_PARAM,
+    ) -> c_int;
+
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_generate(ctx: *mut EVP_PKEY_CTX, k: *mut *mut EVP_PKEY) -> c_int;
+
     pub fn d2i_AutoPrivateKey(
         a: *mut *mut EVP_PKEY,
         pp: *mut *const c_uchar,
@@ -535,6 +556,12 @@ extern "C" {
 
     pub fn EVP_PKEY_CTX_new(k: *mut EVP_PKEY, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_new_id(id: c_int, e: *mut ENGINE) -> *mut EVP_PKEY_CTX;
+    #[cfg(ossl300)]
+    pub fn EVP_PKEY_CTX_new_from_name(
+        libctx: *mut OSSL_LIB_CTX,
+        name: *const c_char,
+        propquery: *const c_char,
+    ) -> *mut EVP_PKEY_CTX;
     pub fn EVP_PKEY_CTX_free(ctx: *mut EVP_PKEY_CTX);
 
     pub fn EVP_PKEY_CTX_ctrl(

openssl-sys/src/handwritten/mod.rs

@@ -15,6 +15,9 @@ pub use self::hmac::*;
 pub use self::kdf::*;
 pub use self::object::*;
 pub use self::ocsp::*;
+#[cfg(ossl300)]
+pub use self::param_build::*;
+#[cfg(ossl300)]
 pub use self::params::*;
 pub use self::pem::*;
 pub use self::pkcs12::*;
@@ -54,6 +57,9 @@ mod hmac;
 mod kdf;
 mod object;
 mod ocsp;
+#[cfg(ossl300)]
+mod param_build;
+#[cfg(ossl300)]
 mod params;
 mod pem;
 mod pkcs12;

openssl-sys/src/handwritten/param_build.rs

@@ -0,0 +1,32 @@
+use super::super::*;
+use libc::*;
+
+/* OpenSSL 3.* only */
+
+extern "C" {
+    pub fn OSSL_PARAM_BLD_new() -> *mut OSSL_PARAM_BLD;
+    pub fn OSSL_PARAM_BLD_free(bld: *mut OSSL_PARAM_BLD);
+    pub fn OSSL_PARAM_BLD_push_BN(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        bn: *const BIGNUM,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_push_utf8_string(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        buf: *const c_char,
+        bsize: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_push_octet_string(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        buf: *const c_void,
+        bsize: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_push_uint(
+        bld: *mut OSSL_PARAM_BLD,
+        key: *const c_char,
+        buf: c_uint,
+    ) -> c_int;
+    pub fn OSSL_PARAM_BLD_to_param(bld: *mut OSSL_PARAM_BLD) -> *mut OSSL_PARAM;
+}

openssl-sys/src/handwritten/params.rs

@@ -2,15 +2,32 @@ use super::super::*;
 use libc::*;
 
 extern "C" {
-    #[cfg(ossl300)]
+    pub fn OSSL_PARAM_free(p: *mut OSSL_PARAM);
     pub fn OSSL_PARAM_construct_uint(key: *const c_char, buf: *mut c_uint) -> OSSL_PARAM;
-    #[cfg(ossl300)]
     pub fn OSSL_PARAM_construct_end() -> OSSL_PARAM;
-    #[cfg(ossl300)]
     pub fn OSSL_PARAM_construct_octet_string(
         key: *const c_char,
         buf: *mut c_void,
         bsize: size_t,
     ) -> OSSL_PARAM;
 
+    pub fn OSSL_PARAM_locate(p: *mut OSSL_PARAM, key: *const c_char) -> *mut OSSL_PARAM;
+    pub fn OSSL_PARAM_get_BN(p: *const OSSL_PARAM, val: *mut *mut BIGNUM) -> c_int;
+    pub fn OSSL_PARAM_get_utf8_string(
+        p: *const OSSL_PARAM,
+        val: *mut *mut c_char,
+        max_len: usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_get_utf8_string_ptr(p: *const OSSL_PARAM, val: *mut *const c_char) -> c_int;
+    pub fn OSSL_PARAM_get_octet_string(
+        p: *const OSSL_PARAM,
+        val: *mut *mut c_void,
+        max_len: usize,
+        used_len: *mut usize,
+    ) -> c_int;
+    pub fn OSSL_PARAM_get_octet_string_ptr(
+        p: *const OSSL_PARAM,
+        val: *mut *const c_void,
+        used_len: *mut usize,
+    ) -> c_int;
 }

openssl-sys/src/handwritten/types.rs

@@ -1140,6 +1140,9 @@ pub struct OSSL_PARAM {
     return_size: size_t,
 }
 
+#[cfg(ossl300)]
+pub enum OSSL_PARAM_BLD {}
+
 #[cfg(ossl300)]
 pub enum EVP_KDF {}
 #[cfg(ossl300)]

openssl-sys/src/lib.rs

@@ -42,6 +42,8 @@ mod openssl {
     pub use self::bio::*;
     pub use self::bn::*;
     pub use self::cms::*;
+    #[cfg(ossl300)]
+    pub use self::core_dispatch::*;
     pub use self::crypto::*;
     pub use self::dtls1::*;
     pub use self::ec::*;
@@ -72,6 +74,8 @@ mod openssl {
     mod bio;
     mod bn;
     mod cms;
+    #[cfg(ossl300)]
+    mod core_dispatch;
     mod crypto;
     mod dtls1;
     mod ec;

openssl/src/lib.rs

@@ -182,6 +182,8 @@ pub mod pkcs5;
 #[cfg(not(boringssl))]
 pub mod pkcs7;
 pub mod pkey;
+#[cfg(ossl300)]
+pub mod pkey_rsa;
 pub mod pkey_ctx;
 #[cfg(ossl300)]
 pub mod provider;

openssl/src/pkey_ctx.rs

@@ -67,7 +67,10 @@ let cmac_key = ctx.keygen().unwrap();
 #[cfg(not(boringssl))]
 use crate::cipher::CipherRef;
 use crate::error::ErrorStack;
+#[cfg(ossl300)]
+use crate::lib_ctx::LibCtxRef;
 use crate::md::MdRef;
+#[cfg(ossl300)]
 use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private};
 use crate::rsa::Padding;
 use crate::sign::RsaPssSaltlen;
@@ -81,6 +84,8 @@ use openssl_macros::corresponds;
 use std::convert::TryFrom;
 #[cfg(ossl320)]
 use std::ffi::CStr;
+#[cfg(ossl300)]
+use std::ffi::CString;
 use std::ptr;
 
 /// HKDF modes of operation.
@@ -156,6 +161,26 @@ impl PkeyCtx<()> {
             Ok(PkeyCtx::from_ptr(ptr))
         }
     }
+
+    /// Creates a new pkey context from the algorithm name.
+    #[corresponds(EVP_PKEY_CTX_new_from_name)]
+    #[cfg(ossl300)]
+    pub fn new_from_name(
+        libctx: Option<&LibCtxRef>,
+        name: &str,
+        propquery: Option<&str>,
+    ) -> Result<Self, ErrorStack> {
+        unsafe {
+            let propquery = propquery.map(|s| CString::new(s).unwrap());
+            let name = CString::new(name).unwrap();
+            let ptr = cvt_p(ffi::EVP_PKEY_CTX_new_from_name(
+                libctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
+                name.as_ptr(),
+                propquery.map_or(ptr::null_mut(), |s| s.as_ptr()),
+            ))?;
+            Ok(PkeyCtx::from_ptr(ptr))
+        }
+    }
 }
 
 impl<T> PkeyCtxRef<T>
@@ -756,6 +781,20 @@ impl<T> PkeyCtxRef<T> {
         Ok(())
     }
 
+    /// Generates a new public/private keypair.
+    ///
+    /// New OpenSSL 3.0 function, that should do the same thing as keygen()
+    #[corresponds(EVP_PKEY_generate)]
+    #[cfg(ossl300)]
+    #[inline]
+    pub fn generate(&mut self) -> Result<PKey<Private>, ErrorStack> {
+        unsafe {
+            let mut key = ptr::null_mut();
+            cvt(ffi::EVP_PKEY_generate(self.as_ptr(), &mut key))?;
+            Ok(PKey::from_ptr(key))
+        }
+    }
+
     /// Gets the nonce type for a private key context.
     ///
     /// The nonce for DSA and ECDSA can be either random (the default) or deterministic (as defined by RFC 6979).
@@ -780,6 +819,14 @@ impl<T> PkeyCtxRef<T> {
         }
         Ok(NonceType(nonce_type))
     }
+
+    /// Initializes a conversion from `OsllParam` to `PKey` on given `PkeyCtx`.
+    #[corresponds(EVP_PKEY_fromdata_init)]
+    #[cfg(ossl300)]
+    pub fn fromdata_init(&mut self) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::EVP_PKEY_fromdata_init(self.as_ptr()))? };
+        Ok(())
+    }
 }
 
 #[cfg(test)]
@@ -1107,4 +1154,14 @@ mxJ7imIrEg9nIQ==
         assert_eq!(output, expected_output);
         assert!(ErrorStack::get().errors().is_empty());
     }
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_pkeyctx_from_name() {
+        let lib_ctx = crate::lib_ctx::LibCtx::new().unwrap();
+        let _: PkeyCtx<()> = PkeyCtx::new_from_name(Some(lib_ctx.as_ref()), "RSA", None).unwrap();
+
+        /* no libctx is ok */
+        let _: PkeyCtx<()> = PkeyCtx::new_from_name(None, "RSA", None).unwrap();
+    }
 }