We've accidently found out that openssl command line utility doesn't report correcrly why it is unable to load prviate key.
Investigation shows that error reporting in the load_key function (in apps/apps.c) which is used by most commands of openssl utility, is incomplete and inconsistent. 1. This function recieves BIO* argument err to report errors to. But in some cases it uses this BIO, and in some cases global variable bio_err. 2. It doesn't report any errors encontered in the ENGINE_load_private_key function at all. 3. It doesn't call ERR_print_errors(err) after printing message "Unable to load private key", while for instance, function load_certificate in the same file does so. Attached patch (against 1.0.0-stable branch) fixes these problems.
? load_key_error.patch Index: apps.c =================================================================== RCS file: /cvs-openssl/openssl/apps/apps.c,v retrieving revision 1.133.2.8 diff -u -r1.133.2.8 apps.c --- apps.c 31 Oct 2009 13:34:19 -0000 1.133.2.8 +++ apps.c 11 May 2010 12:03:15 -0000 @@ -875,10 +875,17 @@ if (format == FORMAT_ENGINE) { if (!e) - BIO_printf(bio_err,"no engine specified\n"); + BIO_printf(err,"no engine specified\n"); else + { pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + if (!pkey) + { + BIO_printf(err,"cannot load %s from engine\n",key_descrip); + ERR_print_errors(err); + } + } goto end; } #endif @@ -937,8 +944,11 @@ } end: if (key != NULL) BIO_free(key); - if (pkey == NULL) + if (pkey == NULL) + { BIO_printf(err,"unable to load %s\n", key_descrip); + ERR_print_errors(err); + } return(pkey); }