On Sun, Nov 20, 2022 at 02:12:34PM -0600, Nico Williams wrote:
> > Generally, I would expect d2i_... to automatically detect the algorithm
> > when tagged with a suitable OIDs, and so d2i_AutoPrivateKey() could
> > often work, but if you know the expected key type, you can ask for
> > that explicitly with d2i_PrivateKey().
>
> So, d2i_PrivateKey() wants a PKCS#8 wrapper so it can figure out what
> the type of the private key blob is.
Not exactly, PKCS#8-based typing is used in d2i_PKCS8_PRIV_KEY_INFO()
(for unencrypted PKCS#8 blobs, so no password callback). The
d2i_PrivateKey() function takes an explicit pkey_type instead.
> On the other hand, d2i_PublicKey() wants the input key to indicate the
> type of public key to import. A strange asymmetry, but it works.
> Staring at Postfix and OpenSSL code helped.
For X.509 SPKI public keys (the ones you generally want to use) the right
interface is d2i_PUBKEY, not d2i_PublicKey().
--
Viktor.
