Fix incompatibilities with OpenSSL 1.0.x (#1)

Fix incompatiblities with OpenSSL 1.0.x

Author: chris-dudley

key.go

@@ -32,24 +32,24 @@ var (
 	SHA512_Method Method = C.X_EVP_sha512()
 )
 
-type KeyType int
-
+// Constants for the various key types.
+// Mapping of name -> NID taken from openssl/evp.h
 const (
-	KeyTypeNone    KeyType = C.EVP_PKEY_NONE
-	KeyTypeRSA     KeyType = C.EVP_PKEY_RSA
-	KeyTypeRSA2    KeyType = C.EVP_PKEY_RSA2
-	KeyTypeDSA     KeyType = C.EVP_PKEY_DSA
-	KeyTypeDSA1    KeyType = C.EVP_PKEY_DSA1
-	KeyTypeDSA2    KeyType = C.EVP_PKEY_DSA2
-	KeyTypeDSA3    KeyType = C.EVP_PKEY_DSA3
-	KeyTypeDSA4    KeyType = C.EVP_PKEY_DSA4
-	KeyTypeDH      KeyType = C.EVP_PKEY_DH
-	KeyTypeDHX     KeyType = C.EVP_PKEY_DHX
-	KeyTypeEC      KeyType = C.EVP_PKEY_EC
-	KeyTypeHMAC    KeyType = C.EVP_PKEY_HMAC
-	KeyTypeCMAC    KeyType = C.EVP_PKEY_CMAC
-	KeyTypeTLS1PRF KeyType = C.EVP_PKEY_TLS1_PRF
-	KeyTypeHKDF    KeyType = C.EVP_PKEY_HKDF
+	KeyTypeNone    = NID_undef
+	KeyTypeRSA     = NID_rsaEncryption
+	KeyTypeRSA2    = NID_rsa
+	KeyTypeDSA     = NID_dsa
+	KeyTypeDSA1    = NID_dsa_2
+	KeyTypeDSA2    = NID_dsaWithSHA
+	KeyTypeDSA3    = NID_dsaWithSHA1
+	KeyTypeDSA4    = NID_dsaWithSHA1_2
+	KeyTypeDH      = NID_dhKeyAgreement
+	KeyTypeDHX     = NID_dhpublicnumber
+	KeyTypeEC      = NID_x9_62_id_ecPublicKey
+	KeyTypeHMAC    = NID_hmac
+	KeyTypeCMAC    = NID_cmac
+	KeyTypeTLS1PRF = NID_tls1_prf
+	KeyTypeHKDF    = NID_hdkf
 )
 
 type PublicKey interface {
@@ -66,7 +66,7 @@ type PublicKey interface {
 
 	// KeyType returns an identifier for what kind of key is represented by this
 	// object.
-	KeyType() KeyType
+	KeyType() NID
 
 	// BaseType returns an identifier for what kind of key is represented
 	// by this object.
@@ -75,7 +75,7 @@ type PublicKey interface {
 	//
 	// For example, a key with a `KeyType() == KeyTypeRSA` and a key with a
 	// `KeyType() == KeyTypeRSA2` would both have `BaseType() == KeyTypeRSA`.
-	BaseType() KeyType
+	BaseType() NID
 
 	evpPKey() *C.EVP_PKEY
 }
@@ -101,12 +101,12 @@ type pKey struct {
 
 func (key *pKey) evpPKey() *C.EVP_PKEY { return key.key }
 
-func (key *pKey) KeyType() KeyType {
-	return KeyType(C.EVP_PKEY_id(key.key))
+func (key *pKey) KeyType() NID {
+	return NID(C.EVP_PKEY_id(key.key))
 }
 
-func (key *pKey) BaseType() KeyType {
-	return KeyType(C.EVP_PKEY_base_id(key.key))
+func (key *pKey) BaseType() NID {
+	return NID(C.EVP_PKEY_base_id(key.key))
 }
 
 func (key *pKey) SignPKCS1v15(method Method, data []byte) ([]byte, error) {
@@ -162,7 +162,7 @@ func (key *pKey) MarshalPKCS1PrivateKeyPEM() (pem_block []byte,
 	// PEM_write_bio_PrivateKey_traditional will use the key-specific PKCS1
 	// format if one is available for that key type, otherwise it will encode
 	// to a PKCS8 key.
-	if int(C.PEM_write_bio_PrivateKey_traditional(bio, key.key, nil, nil,
+	if int(C.X_PEM_write_bio_PrivateKey_traditional(bio, key.key, nil, nil,
 		C.int(0), nil, nil)) != 1 {
 		return nil, errors.New("failed dumping private key")
 	}

nid.go

@@ -17,6 +17,7 @@ package openssl
 type NID int
 
 const (
+	NID_undef                              NID = 0
 	NID_rsadsi                             NID = 1
 	NID_pkcs                               NID = 2
 	NID_md2                                NID = 3
@@ -196,4 +197,10 @@ const (
 	NID_ad_OCSP                            NID = 178
 	NID_ad_ca_issuers                      NID = 179
 	NID_OCSP_sign                          NID = 180
+	NID_x9_62_id_ecPublicKey               NID = 408
+	NID_hmac                               NID = 855
+	NID_cmac                               NID = 894
+	NID_dhpublicnumber                     NID = 920
+	NID_tls1_prf                           NID = 1021
+	NID_hdkf                               NID = 1036
 )

shim.c

@@ -156,6 +156,10 @@ void X_HMAC_CTX_free(HMAC_CTX *ctx) {
 	HMAC_CTX_free(ctx);
 }
 
+int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) {
+	return PEM_write_bio_PrivateKey_traditional(bio, key, enc, kstr, klen, cb, u);
+}
+
 #endif
 
 
@@ -276,6 +280,32 @@ void X_HMAC_CTX_free(HMAC_CTX *ctx) {
 	}
 }
 
+int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) {
+	/* PEM_write_bio_PrivateKey always tries to use the PKCS8 format if it
+	 * is available, instead of using the "traditional" format as stated in the
+	 * OpenSSL man page.
+	 * i2d_PrivateKey should give us the correct DER encoding, so we'll just
+	 * use PEM_ASN1_write_bio directly to write the DER encoding with the correct
+	 * type header. */
+
+	int ppkey_id, pkey_base_id, ppkey_flags;
+	const char *pinfo, *ppem_str;
+	char pem_type_str[80];
+
+	// Lookup the ASN1 method information to get the pem type
+	if (EVP_PKEY_asn1_get0_info(&ppkey_id, &pkey_base_id, &ppkey_flags, &pinfo, &ppem_str, key->ameth) != 1) {
+		return 0;
+	}
+	// Set up the PEM type string
+	if (BIO_snprintf(pem_type_str, 80, "%s PRIVATE KEY", ppem_str) <= 0) {
+		// Failed to write out the pem type string, something is really wrong.
+		return 0;
+	}
+	// Write out everything to the BIO
+	return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
+		pem_type_str, bio, key, enc, kstr, klen, cb, u);
+}
+
 #endif
 
 

shim.h

@@ -158,3 +158,5 @@ extern const ASN1_TIME *X_X509_get0_notAfter(const X509 *x);
 extern int X_sk_X509_num(STACK_OF(X509) *sk);
 extern X509 *X_sk_X509_value(STACK_OF(X509)* sk, int i);
 
+/* PEM methods */
+extern int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u);