search for: evp_pkey_get1_rsa

...= /var/Security/dsaparam.pem ssl_parameters_regenerate = 0 an attempt @ dovecot launch results in a logged error of: dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key wherein it looks like dovecot is _still_ seeking an RSA key. fwiw, % cat /var/Security/mail.testdomain.com.privkey.dsa.pem -----BEGIN DSA PRIVATE KEY----- ... i've searched the dovecot wiki, and although the _only_ reference i find to dsa/diffie is @: http://wik...

...get_pubkey(x); + } + if (pk == NULL) { + debug("PEM_read_PUBKEY() file %s failed", filename); + debug3("%s", ERR_error_string(ERR_get_error(), NULL)); + if (x != NULL) + X509_free(x); + return NULL; + } else { + pub = key_new(KEY_UNSPEC); + pub->rsa = RSAPublicKey_dup(EVP_PKEY_get1_RSA(pk)); + pub->type = KEY_RSA; + name = "rsa w/o comment"; +#ifdef DEBUG_PK + RSA_print_fp(stderr, prv->rsa, 8); +#endif + } + + fclose(fp); + + if (pk != NULL) + EVP_PKEY_free(pk); + if (x != NULL) + X509_free(x); + + if (pub != NULL && commentp) + *commentp = xstrdup(n...

...rint_errors_fp(stderr); > debug("ENGINE_load_private_key failed"); > (void)ERR_get_error(); > goto finish; > } else if (pk->type == EVP_PKEY_RSA) { > prv = key_new(KEY_UNSPEC); > prv->rsa = EVP_PKEY_get1_RSA(pk); > prv->type = KEY_RSA; > name = "rsa w/o comment"; > #ifdef DEBUG_PK > RSA_print_fp(stderr, prv->rsa, 8); > #endif > if (RSA_blinding_on(prv->rsa, NULL) != 1) { > ERR_print_errors_...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

...); + ret = SSH_ERR_KEY_WRONG_PASSPHRASE; + goto err_free_pkey; + } + + ret = SSH_ERR_ALLOC_FAIL; + + key = sshkey_new(KEY_UNSPEC); + key->flags |= SSHKEY_FLAG_EXT; + if (!key) + goto err_free_pkey; + + switch (EVP_PKEY_id(pk)) { + case EVP_PKEY_RSA: + key->type = KEY_RSA; + key->rsa = EVP_PKEY_get1_RSA(pk); + break; + case EVP_PKEY_DSA: + key->type = KEY_DSA; + key->dsa = EVP_PKEY_get1_DSA(pk); + break; +#ifdef OPENSSL_HAS_ECC + case EVP_PKEY_EC: + key->type = KEY_ECDSA; + key->ecdsa = EVP_PKEY_get1_EC_KEY(pk); + key->ecdsa_nid = sshkey_ecdsa_key_to_nid(key->ecdsa); + if...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may