Add EVP_PKEY encoded public key get/set compatibility functions#10607
Draft
julek-wolfssl wants to merge 3 commits into
Draft
Add EVP_PKEY encoded public key get/set compatibility functions#10607julek-wolfssl wants to merge 3 commits into
julek-wolfssl wants to merge 3 commits into
Conversation
Implement wolfSSL_EVP_PKEY_set1_encoded_public_key and
wolfSSL_EVP_PKEY_get1_encoded_public_key in the OpenSSL compatibility
layer. Both the new OpenSSL 3.0 names and the deprecated
EVP_PKEY_{set1,get1}_tls_encodedpoint names map to these single
implementations.
Supported key types:
- EC: uncompressed octet point (0x04 || X || Y), reusing
i2o_ECPublicKey / o2i_ECPublicKey. set1 also syncs the internal
wolfCrypt key (SetECKeyInternal) so the key is usable by
EVP_PKEY_derive, and refreshes the cached DER.
- X25519 / X448: raw little-endian public key (RFC 7748).
Adds test_wolfSSL_EVP_PKEY_encoded_public_key covering NULL handling,
EC encode/decode round-trip and ECDH agreement, X25519/X448 round-trips,
and deprecated-name parity.
Build the replacement curve25519/curve448 key in a temporary and only free the existing key once the import succeeds, so a failed set1 leaves the original EVP_PKEY intact (matching the EC branch). Add a regression test that a wrong-length set1 leaves the existing key usable.
Mirror the X25519 check: a wrong-length set1 must leave the existing X448 key intact and usable.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds OpenSSL 3.0 EVP compatibility for getting/setting an EVP_PKEY’s encoded public key (including aliases for the deprecated *_tls_encodedpoint names), and adds API tests to validate correct behavior across EC, X25519, and X448 key types.
Changes:
- Add
EVP_PKEY_{get1,set1}_encoded_public_key(andEVP_PKEY_{get1,set1}_tls_encodedpointaliases) to the OpenSSL EVP compatibility layer. - Implement EC (uncompressed point) and X25519/X448 (raw little-endian) encode/decode support, including a failure-atomic setter pattern for X25519/X448.
- Add a new API test covering bad-arg handling, round-trips, alias parity, and failure-atomicity behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| wolfssl/openssl/evp.h | Adds function declarations and macro aliases for the new OpenSSL 3.0 EVP encoded-public-key APIs. |
| wolfcrypt/src/evp.c | Implements encoded public key get/set for EC and X25519/X448, including atomic replacement for curve keys. |
| tests/api/test_evp_pkey.h | Registers the new EVP_PKEY encoded public key API test. |
| tests/api/test_evp_pkey.c | Adds test coverage for encoded public key get/set behavior and aliasing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+9857
to
+9858
| #if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ | ||
| defined(HAVE_CURVE448)) |
|
|
||
| return ret; | ||
| } | ||
| #endif /* OPENSSL_EXTRA && (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */ |
Comment on lines
+9882
to
+9886
| if ((pkey == NULL) || (ppub == NULL)) { | ||
| WOLFSSL_MSG("Bad parameter"); | ||
| return 0; | ||
| } | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds the OpenSSL 3.0 encoded-public-key compatibility functions to the EVP layer and hardens the X25519/X448 setter against partial failure.
EVP_PKEY_set1_encoded_public_key/EVP_PKEY_get1_encoded_public_keyImplements both functions in the OpenSSL compatibility layer. The new OpenSSL 3.0 names and the deprecated
EVP_PKEY_{set1,get1}_tls_encodedpointnames map to single shared implementations.Supported key types:
0x04 || X || Y), reusingi2o_ECPublicKey/o2i_ECPublicKey.set1also syncs the internal wolfCrypt key (SetECKeyInternal) so the key is usable byEVP_PKEY_derive, and refreshes the cached DER.Failure-atomicity fix for X25519/X448
set1The replacement curve25519/curve448 key is now built in a temporary and the existing key is only freed once the import succeeds, so a failed
set1leaves the originalEVP_PKEYintact (matching the EC branch).Testing
Adds
test_wolfSSL_EVP_PKEY_encoded_public_keycovering NULL handling, EC encode/decode round-trip and ECDH agreement, X25519/X448 round-trips, deprecated-name parity, and a wrong-lengthset1leaving the existing key usable (for both X25519 and X448).