Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warnings when compiling examples with OpenSSL 3 #100

Open
kiner-shah opened this issue Apr 21, 2023 · 6 comments
Open

Warnings when compiling examples with OpenSSL 3 #100

kiner-shah opened this issue Apr 21, 2023 · 6 comments

Comments

@kiner-shah
Copy link

Library version: v1.4
OS: Linux Ubuntu 22.04
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Command:

cmake -DCPP_JWT_USE_VENDORED_NLOHMANN_JSON=OFF -DCPP_JWT_BUILD_TESTS=OFF ..
make

Please check the attached openssl3_warnings_log.txt.
@halfgaar
Copy link

halfgaar commented Feb 11, 2024
edited
Loading

The issues reported seem all or mostly related to:

Deprecated low-level key parameter getters

A uniqued list of errors:

cpp-jwt/include/jwt/algorithm.hpp:288:23: warning: ‘void EC_KEY_free(EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:113:44: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:119:26: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:264:42: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:271:58: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]

The alternative to EC_KEY_get0_group seems is to use EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]). But, it's not fully clear to me and and I don't have a dev machine with OpenSSL 3 handy right now, to try.

When fixed, it needs some ifdef logic, because OpenSSL 1.1 doesn't have the required functions.

@arun11299
Copy link
Owner

@kiner-shah I know it's late :) but is it a possiblity that you can submit a PR for the change ?

@halfgaar
Copy link

If @kiner-shah doesn't, I will probably, sooner or later. We use the lib in several places. I have experience with the OpenSSL API and it doesn't seem that hard to do.

Interestingly, if the use of the low-level attributes of the keys is discouraged, I wonder why they are needed?

@arun11299
Copy link
Owner

Thanks @halfgaar. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions.

@kiner-shah
Copy link
Author

kiner-shah commented Feb 12, 2024 via email

@halfgaar
Copy link

I did some preliminary research @arun11299 . The deprecation is all in the elliptical curve functions, in getting the size of the big number of the signature. It's calculated manually, like this:

unsigned int degree = EC_GROUP_get_degree(
        EC_KEY_get0_group(ec_key.get()));
    
    unsigned int bn_len = (degree + 7) / 8;

Why is that? If I look at other code on the internet, they don't do that.

If I disable all the EC code, the library still works to verify our RSA keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@halfgaar @arun11299 @kiner-shah