I am upgrading a project using the r509 gem.
The gem uses generate_key to get EC private keys.
But it looks like here we redirect that method to generate_key! which throws the error.

Should we have a new generator for it? No idea what it would look like.

[5] pry(main)> OpenSSL::PKey::EC.new(nil).generate_key!
OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0
from (pry):5:in `generate_key!'
[6] pry(main)> OpenSSL::PKey::EC.new(nil).generate_key
OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0
from (pry):6:in `generate_key!'

Methods on OpenSSL::PKey::{RSA,DSA,DH,EC} that modify the receiver object will not work if ruby/openssl is compiled against OpenSSL (the C library) 3.0 or later. This is a backwards-incompatible change introduced by OpenSSL 3.0 and there is nothing ruby/openssl can do.

Instead of OpenSSL::PKey::EC.new(group_name).generate_key!, please use OpenSSL::PKey::EC.generate(group_name).

The library is actually using generate_key and not generate_key! the issue is that for this one it looks like generate_key is aliased to generated_key! for EC

Yes it is an alias. EC#generate_key was renamed to EC#generate_key! (in 2016, for parity with DH#generate_key!) and the old name was kept as an alias. EC#generate_key always modified the receiver.

Oh I see, I misread the error message I guess OpenSSL::PKey.generate_key is the one to use not specific keys ones anymore. Is that correct?

Thanks a lot for your help and time on this :) This all makes sense. Will open a PR on that r509 gem to modify it's usage.

Yes, the following methods will continue to work and do the same thing:

• OpenSSL::PKey.generate_key("EC", "ec_paramgen_curve" => "prime256v1") (the manpage openssl-genpkey(1) documents ec_paramgen_curve and other optional parameters)
• OpenSSL::PKey::EC.generate("prime256v1")