Warnings when compiling examples with OpenSSL 3

Question

Warnings when compiling examples with OpenSSL 3

kiner-shah opened this issue a year ago · comments

Library version: v1.4
OS: Linux Ubuntu 22.04
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Command:

cmake -DCPP_JWT_USE_VENDORED_NLOHMANN_JSON=OFF -DCPP_JWT_BUILD_TESTS=OFF ..
make

Please check the attached openssl3_warnings_log.txt.

Wiebe Cazemier · Answer 1 · Mon Feb 12 2024 01:31:13 GMT+0800 (China Standard Time)

The issues reported seem all or mostly related to:

Deprecated low-level key parameter getters

A uniqued list of errors:

cpp-jwt/include/jwt/algorithm.hpp:288:23: warning: ‘void EC_KEY_free(EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:113:44: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:119:26: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:264:42: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:271:58: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]

The alternative to EC_KEY_get0_group seems is to use EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]). But, it's not fully clear to me and and I don't have a dev machine with OpenSSL 3 handy right now, to try.

When fixed, it needs some ifdef logic, because OpenSSL 1.1 doesn't have the required functions.

Arun Muralidharan · Answer 2 · Mon Feb 12 2024 12:30:01 GMT+0800 (China Standard Time)

@kiner-shah I know it's late :) but is it a possiblity that you can submit a PR for the change ?

Wiebe Cazemier · Answer 3 · Mon Feb 12 2024 16:31:57 GMT+0800 (China Standard Time)

If @kiner-shah doesn't, I will probably, sooner or later. We use the lib in several places. I have experience with the OpenSSL API and it doesn't seem that hard to do.

Interestingly, if the use of the low-level attributes of the keys is discouraged, I wonder why they are needed?

Arun Muralidharan · Answer 4 · Mon Feb 12 2024 17:00:38 GMT+0800 (China Standard Time)

Thanks @halfgaar. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions.

Kiner Shah · Answer 5 · Mon Feb 12 2024 19:47:29 GMT+0800 (China Standard Time)

I won't be able to create a PR, really don't have any experience with OpenSSL. Please feel free to create one @halfgaar.

…

On Mon, Feb 12, 2024, 2:30 PM Arun Muralidharan ***@***.***> wrote: Thanks @halfgaar <https://github.com/halfgaar>. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions. — Reply to this email directly, view it on GitHub <#100 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD262XPPICJ6NLWNMA36MXTYTHK4DAVCNFSM6AAAAAAXGVA6ASVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZYGI3DOMRXHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Wiebe Cazemier · Answer 6 · Wed Feb 14 2024 05:05:50 GMT+0800 (China Standard Time)

I did some preliminary research @arun11299 . The deprecation is all in the elliptical curve functions, in getting the size of the big number of the signature. It's calculated manually, like this:

unsigned int degree = EC_GROUP_get_degree(
        EC_KEY_get0_group(ec_key.get()));
    
    unsigned int bn_len = (degree + 7) / 8;

Why is that? If I look at other code on the internet, they don't do that.

If I disable all the EC code, the library still works to verify our RSA keys.