We've accidently found out that openssl command line utility doesn't
report correcrly why it is unable to load prviate key.
Investigation shows that error reporting in the load_key function
(in apps/apps.c) which is used by most commands of openssl utility,
is incomplete and inconsistent.
1. This function recieves BIO* argument err to report errors to.
But in some cases it uses this BIO, and in some cases global variable
bio_err.
2. It doesn't report any errors encontered in the
ENGINE_load_private_key function at all.
3. It doesn't call ERR_print_errors(err) after printing message "Unable
to load private key", while for instance, function load_certificate in
the same file does so.
Attached patch (against 1.0.0-stable branch) fixes these problems.
? load_key_error.patch
Index: apps.c
===================================================================
RCS file: /cvs-openssl/openssl/apps/apps.c,v
retrieving revision 1.133.2.8
diff -u -r1.133.2.8 apps.c
--- apps.c 31 Oct 2009 13:34:19 -0000 1.133.2.8
+++ apps.c 11 May 2010 12:03:15 -0000
@@ -875,10 +875,17 @@
if (format == FORMAT_ENGINE)
{
if (!e)
- BIO_printf(bio_err,"no engine specified\n");
+ BIO_printf(err,"no engine specified\n");
else
+ {
pkey = ENGINE_load_private_key(e, file,
ui_method, &cb_data);
+ if (!pkey)
+ {
+ BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+ ERR_print_errors(err);
+ }
+ }
goto end;
}
#endif
@@ -937,8 +944,11 @@
}
end:
if (key != NULL) BIO_free(key);
- if (pkey == NULL)
+ if (pkey == NULL)
+ {
BIO_printf(err,"unable to load %s\n", key_descrip);
+ ERR_print_errors(err);
+ }
return(pkey);
}
