OpenSSL 3 compatibility

[andy9a9]

I was trying to compile the application with OpenSSL 3 crypto libs, but looks like is it's not compatible.

PKCS12Container::PKCS12Container(std::istream& istr, const std::string& password): _pKey(0)
{
	std::ostringstream ostr;
	Poco::StreamCopier::copyStream(istr, ostr);
	const std::string& cont = ostr.str();

	BIO *pBIO = BIO_new_mem_buf(const_cast<char*>(cont.data()), static_cast<int>(cont.size()));
	if (pBIO)
	{
		PKCS12* pPKCS12 = 0;
		d2i_PKCS12_bio(pBIO, &pPKCS12);
		BIO_free(pBIO);
		if (!pPKCS12) throw OpenSSLException("PKCS12Container(istream&, const string&)");
--->		load(pPKCS12, password);
	}
	else
	{
<---		throw Poco::NullPointerException("PKCS12Container(istream&, const string&)");
	}
}
		
void PKCS12Container::load(PKCS12* pPKCS12, const std::string& password)
{
	if (pPKCS12)
	{
		X509* pCert = 0;
		STACK_OF(X509)* pCA = 0;
--->		if (PKCS12_parse(pPKCS12, password.c_str(), &_pKey, &pCert, &pCA))
		{
		...
		}
		else
		{
			PKCS12_free(pPKCS12);
<---			throw OpenSSLException();
		}

Unable to parse PKCS#12 container: "error:0308010C:digital envelope routines::unsupported"

Would it be possible to make it compatible also with OpenSSL 3?

[andy9a9]

I made the tests based on poco-1.11.2 branch, but still no success:

 'Unable to parse PKCS#12 container: error:12800067:DSO '

 'Unable to parse PKCS#12 container: error:078C0105:common libcrypto routines::init fail'

[andy9a9]

@obiltschnig wouldn't be possible to use legacy provider for now?

[aleks-f]

3fb001f

[andy9a9]

I tried it with the latest version from the testing branch, but the errors are still there.

[obiltschnig]

@andy9a9 Can you verify that you have the OpenSSL legacy provider available in your version of OpenSSL 3?
It should be a file named legacy.so. You could also try to set environment variable OPENSSL_MODULES.
See https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_load.html for more information.

[andy9a9]

@obiltschnig I verified, that /usr/lib/ossl-modules/legacy.so is part of the rootfs. I guess, that it has to be loaded automatically via OSSL_PROVIDER_load(NULL, "legacy"), so touching OPENSSL_MODULES is not necessary.

I double checked it, the first error "error:0308010C:digital envelope routines::unsupported" is gone, so legacy provider was loaded correctly.

But looks like, that there is a certificate problem. I'm expecting the ecdsa-with-SHA256 algorithm, but it's returning ecdsa-with-SHA384. Same for serialnumber, subject... . Couldn't the verification chain somehow mixed up? Strange...

[aleks-f]

@andy9a9 I’m having trouble following what exactly is going on here. It was my understanding that this issue was fixed by pull #3448

If that is not the case, please send a test case pull (or make a gist) exhibiting the problem.

[andy9a9]

Fine, there was an "error", that certificates have now reverse order.

+ #include <Poco/Version.h>
+ #if POCO_VERSION >= 0x010B0200L
+		// The P12 container returns the certificates in order root -> inter -> cert
+		// but we need cert -> inter -> root
+		// so let's reverse it
+		std::reverse(certs.begin(), certs.end());
+ #endif

so this issue is solved.

I've founded an another one in different component when gtest is going to close.

Program received signal SIGSEGV, Segmentation fault.
#0  0x0000fffff71157c8 in pthread_rwlock_rdlock () from target:/lib/libc.so.6
#1  0x0000fffff76e41c0 in CRYPTO_THREAD_read_lock (lock=<optimized out>)
    at ../openssl-3.0.2/crypto/threads_pthread.c:85
#2  0x0000fffff76d34a0 in ossl_lib_ctx_get_data (
    ctx=0xfffff79145f0 <default_context_int>, index=index@entry=1, 
    meth=meth@entry=0xfffff78cf5c0 <provider_store_method>)
    at ../openssl-3.0.2/crypto/context.c:361
#3  0x0000fffff76e1114 in get_provider_store (libctx=<optimized out>)
    at ../openssl-3.0.2/crypto/provider_core.c:334
#4  provider_deactivate (prov=prov@entry=0xaaaaab94c8c0, 
    upcalls=upcalls@entry=1, removechildren=1)
    at ../openssl-3.0.2/crypto/provider_core.c:1035
#5  0x0000fffff76e1c5c in ossl_provider_deactivate (prov=0xaaaaab94c8c0, 
    removechildren=<optimized out>)
    at ../openssl-3.0.2/crypto/provider_core.c:1191
#6  0x0000fffff76df21c in OSSL_PROVIDER_unload (prov=0xaaaaab94c8c0)
    at ../openssl-3.0.2/crypto/provider.c:62
#7  0x0000fffff7e69260 in Poco::Crypto::OpenSSLInitializer::uninitialize() ()
   from target:/usr/lib/libPocoCrypto.so.82
#8  0x0000fffff7ec4c44 in Poco::Net::Context::~Context (this=0xaaaaaba008c0, 
    __in_chrg=<optimized out>)
    at NetSSL_OpenSSL/src/Context.cpp:111
#9  0x0000fffff7ec4d08 in Poco::Net::Context::~Context (this=0xaaaaaba008c0, 
    __in_chrg=<optimized out>) at NetSSL_OpenSSL/src/Context.cpp:106
#10 0x0000fffff7ed34bc in Poco::RefCountedObject::release (this=0xaaaaaba008c0) at Foundation/include/Poco/RefCountedObject.h:82
#11 Poco::RefCountedObject::release (this=0xaaaaaba008c0) at Foundation/include/Poco/RefCountedObject.h:78
#12 Poco::AutoPtr<Poco::Net::Context>::assign (ptr=0x0, this=0xaaaaab9340a0) at Foundation/include/Poco/AutoPtr.h:103
#13 Poco::AutoPtr<Poco::Net::Context>::operator= (ptr=0x0, this=0xaaaaab9340a0) at Foundation/include/Poco/AutoPtr.h:175
#14 Poco::Net::SSLManager::shutdown (this=this@entry=0xaaaaab933eb0) at NetSSL_OpenSSL/src/SSLManager.cpp:104
#15 0x0000fffff7ed38c4 in Poco::Net::SSLManager::~SSLManager (this=0xaaaaab933eb0, __in_chrg=<optimized out>) at NetSSL_OpenSSL/src/SSLManager.cpp:89
#16 0x0000fffff7ed5fd4 in Poco::SingletonHolder<Poco::Net::SSLManager>::~SingletonHolder (this=0xfffff7efe068 <Poco::Net::(anonymous namespace)::singleton>, __in_chrg=<optimized out>) at Foundation/include/Poco/SingletonHolder.h:43
#17 0x0000fffff70d074c in __cxa_finalize () from target:/lib/libc.so.6
#18 0x0000fffff7ec34b4 in __do_global_dtors_aux () at Foundation/include/Poco/SingletonHolder.h:37
#19 0x0000fffff7fc84b8 in ?? () from target:/lib/ld-linux-aarch64.so.1
#20 0x0000fffff70d0178 in ?? () from target:/lib/libc.so.6
#21 0x0000fffff70d02a0 in exit () from target:/lib/libc.so.6
#22 0x0000fffff70bb234 in ?? () from target:/lib/libc.so.6
#23 0x0000fffff70bb30c in __libc_start_main () from target:/lib/libc.so.6
#24 0x0000aaaaaae8bc70 in _start () at ../sysdeps/aarch64/start.S:81

[aleks-f]

please open another issue with SSCCE

[andy9a9]

After some analysis, looks like, that problem is on our side. I will raise an issue, if there something broken on your side.