Warnings when compiling examples with OpenSSL 3
kiner-shah opened this issue · comments
Library version: v1.4
OS: Linux Ubuntu 22.04
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Command:
cmake -DCPP_JWT_USE_VENDORED_NLOHMANN_JSON=OFF -DCPP_JWT_BUILD_TESTS=OFF ..
make
Please check the attached openssl3_warnings_log.txt.
The issues reported seem all or mostly related to:
Deprecated low-level key parameter getters
A uniqued list of errors:
cpp-jwt/include/jwt/algorithm.hpp:288:23: warning: ‘void EC_KEY_free(EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:113:44: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:119:26: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:264:42: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:271:58: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
The alternative to EC_KEY_get0_group
seems is to use EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[])
. But, it's not fully clear to me and and I don't have a dev machine with OpenSSL 3 handy right now, to try.
When fixed, it needs some ifdef
logic, because OpenSSL 1.1 doesn't have the required functions.
@kiner-shah I know it's late :) but is it a possiblity that you can submit a PR for the change ?
If @kiner-shah doesn't, I will probably, sooner or later. We use the lib in several places. I have experience with the OpenSSL API and it doesn't seem that hard to do.
Interestingly, if the use of the low-level attributes of the keys is discouraged, I wonder why they are needed?
Thanks @halfgaar. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions.
I did some preliminary research @arun11299 . The deprecation is all in the elliptical curve functions, in getting the size of the big number of the signature. It's calculated manually, like this:
unsigned int degree = EC_GROUP_get_degree(
EC_KEY_get0_group(ec_key.get()));
unsigned int bn_len = (degree + 7) / 8;
Why is that? If I look at other code on the internet, they don't do that.
If I disable all the EC code, the library still works to verify our RSA keys.