dsa: apps deprecation changes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)

5 files changed, 97 insertions, 92 deletions

diff --git a/apps/dhparam.c b/apps/dhparam.c
index a69dfd3810..8242a1f1d7 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -47,8 +47,10 @@ const OPTIONS dhparam_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
     {"check", OPT_CHECK, '-', "Check the DH parameters"},
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"dsaparam", OPT_DSAPARAM, '-',
      "Read or generate DSA parameters, convert to DH"},
+#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 #endif
diff --git a/apps/dsa.c b/apps/dsa.c
index 2deda0a32c..ebb841fa53 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -22,6 +22,15 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/encoder.h>
+#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
+
+#ifndef OPENSSL_NO_RC4
+# define DEFAULT_PVK_ENCR_STRENGTH      2
+#else
+# define DEFAULT_PVK_ENCR_STRENGTH      0
+#endif
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -68,7 +77,6 @@ const OPTIONS dsa_options[] = {
 int dsa_main(int argc, char **argv)
 {
     BIO *out = NULL;
-    DSA *dsa = NULL;
     ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
     const EVP_CIPHER *enc = NULL;
@@ -76,11 +84,13 @@ int dsa_main(int argc, char **argv)
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
-    int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-#ifndef OPENSSL_NO_RC4
-    int pvk_encr = 2;
-#endif
+    int modulus = 0, pubin = 0, pubout = 0, ret = 1;
+    int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
     int private = 0;
+    const char *output_type = NULL;
+    const char *output_structure = NULL;
+    int selection = 0;
+    OSSL_ENCODER_CTX *ectx = NULL;
 
     prog = opt_init(argc, argv, dsa_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -171,14 +181,15 @@ int dsa_main(int argc, char **argv)
     else
         pkey = load_key(infile, informat, 1, passin, e, "private key");
 
-    if (pkey != NULL)
-        dsa = EVP_PKEY_get1_DSA(pkey);
-
-    if (dsa == NULL) {
+    if (pkey == NULL) {
         BIO_printf(bio_err, "unable to load Key\n");
         ERR_print_errors(bio_err);
         goto end;
     }
+    if (!EVP_PKEY_is_a(pkey, "DSA")) {
+        BIO_printf(bio_err, "Not a DSA key\n");
+        goto end;
+    }
 
     out = bio_open_owner(outfile, outformat, private);
     if (out == NULL)
@@ -195,11 +206,16 @@ int dsa_main(int argc, char **argv)
     }
 
     if (modulus) {
-        const BIGNUM *pub_key = NULL;
-        DSA_get0_key(dsa, &pub_key, NULL);
+        BIGNUM *pub_key = NULL;
+
+        if (!EVP_PKEY_get_bn_param(pkey, "pub", &pub_key)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
         BIO_printf(out, "Public Key=");
         BN_print(out, pub_key);
         BIO_printf(out, "\n");
+        BN_free(pub_key);
     }
 
     if (noout) {
@@ -208,64 +224,68 @@ int dsa_main(int argc, char **argv)
     }
     BIO_printf(bio_err, "writing DSA key\n");
     if (outformat == FORMAT_ASN1) {
-        if (pubin || pubout) {
-            i = i2d_DSA_PUBKEY_bio(out, dsa);
-        } else {
-            assert(private);
-            i = i2d_DSAPrivateKey_bio(out, dsa);
-        }
+        output_type = "DER";
     } else if (outformat == FORMAT_PEM) {
-        if (pubin || pubout) {
-            i = PEM_write_bio_DSA_PUBKEY(out, dsa);
-        } else {
-            assert(private);
-            i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
-                                            NULL, 0, NULL, passout);
-        }
-#ifndef OPENSSL_NO_RSA
-    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
-        EVP_PKEY *pk;
-        pk = EVP_PKEY_new();
-        if (pk == NULL)
-           goto end;
-
-        EVP_PKEY_set1_DSA(pk, dsa);
-        if (outformat == FORMAT_PVK) {
-            if (pubin) {
-                BIO_printf(bio_err, "PVK form impossible with public key input\n");
-                EVP_PKEY_free(pk);
-                goto end;
-            }
-            assert(private);
-# ifdef OPENSSL_NO_RC4
-            BIO_printf(bio_err, "PVK format not supported\n");
-            EVP_PKEY_free(pk);
+        output_type = "PEM";
+    } else if (outformat == FORMAT_MSBLOB) {
+        output_type = "MSBLOB";
+    } else if (outformat == FORMAT_PVK) {
+        if (pubin) {
+            BIO_printf(bio_err, "PVK form impossible with public key input\n");
             goto end;
-# else
-            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-# endif
-        } else if (pubin || pubout) {
-            i = i2b_PublicKey_bio(out, pk);
-        } else {
-            assert(private);
-            i = i2b_PrivateKey_bio(out, pk);
         }
-        EVP_PKEY_free(pk);
-#endif
+        output_type = "PVK";
     } else {
         BIO_printf(bio_err, "bad output format specified for outfile\n");
         goto end;
     }
-    if (i <= 0) {
-        BIO_printf(bio_err, "unable to write private key\n");
-        ERR_print_errors(bio_err);
+
+    if (outformat == FORMAT_ASN1 || outformat == FORMAT_PEM) {
+        if (pubout || pubin)
+            output_structure = "SubjectPublicKeyInfo";
+        else
+            output_structure = "type-specific";
+    }
+
+    /* Select what you want in the output */
+    if (pubout || pubin) {
+        selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+    } else {
+        assert(private);
+        selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
+                     | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
+    }
+
+    /* Perform the encoding */
+    ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, output_type,
+                                            output_structure, NULL);
+    if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
+        BIO_printf(bio_err, "%s format not supported\n", output_type);
+        goto end;
+    }
+
+    /* PVK requires a bit more */
+    if (outformat == FORMAT_PVK) {
+        OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+
+        params[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr);
+        if (!OSSL_ENCODER_CTX_set_params(ectx, params)) {
+            BIO_printf(bio_err, "invalid PVK encryption level\n");
+            goto end;
+        }
+    }
+
+    if (!OSSL_ENCODER_to_bio(ectx, out)) {
+        BIO_printf(bio_err, "unable to write key\n");
         goto end;
     }
     ret = 0;
  end:
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    OSSL_ENCODER_CTX_free(ectx);
     BIO_free_all(out);
     EVP_PKEY_free(pkey);
-    DSA_free(dsa);
     release_engine(e);
     OPENSSL_free(passin);
     OPENSSL_free(passout);
diff --git a/apps/gendsa.c b/apps/gendsa.c
index d525f7093b..c90a01d979 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -54,7 +54,6 @@ int gendsa_main(int argc, char **argv)
 {
     ENGINE *e = NULL;
     BIO *out = NULL, *in = NULL;
-    DSA *dsa = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     const EVP_CIPHER *enc = NULL;
@@ -117,38 +116,18 @@ int gendsa_main(int argc, char **argv)
         goto end;
     }
 
-    in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
-    if (in == NULL)
-        goto end2;
-
-    if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
-        BIO_printf(bio_err, "unable to load DSA parameter file\n");
-        goto end;
-    }
-    BIO_free(in);
-    in = NULL;
+    pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters");
 
     out = bio_open_owner(outfile, FORMAT_PEM, private);
     if (out == NULL)
         goto end2;
 
-    DSA_get0_pqg(dsa, &p, NULL, NULL);
-
-    if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+    if (EVP_PKEY_bits(pkey) > OPENSSL_DSA_MAX_MODULUS_BITS)
         BIO_printf(bio_err,
                    "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
                    "         Your key size is %d! Larger key size may behave not as expected.\n",
-                   OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
+                   OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_bits(pkey));
 
-    pkey = EVP_PKEY_new();
-    if (pkey == NULL) {
-        BIO_printf(bio_err, "unable to allocate PKEY\n");
-        goto end;
-    }
-    if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
-        BIO_printf(bio_err, "unable to associate DSA parameters with PKEY\n");
-        goto end;
-    }
     ctx = EVP_PKEY_CTX_new(pkey, NULL);
     if (ctx == NULL) {
         BIO_printf(bio_err, "unable to create PKEY context\n");
@@ -179,7 +158,6 @@ int gendsa_main(int argc, char **argv)
  end2:
     BIO_free(in);
     BIO_free_all(out);
-    DSA_free(dsa);
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(ctx);
     release_engine(e);
diff --git a/apps/rsa.c b/apps/rsa.c
index bdfbcf07b8..b65c8fc793 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -30,6 +30,12 @@
  */
 #include <openssl/core_dispatch.h>
 
+#ifndef OPENSSL_NO_RC4
+# define DEFAULT_PVK_ENCR_STRENGTH      2
+#else
+# define DEFAULT_PVK_ENCR_STRENGTH      0
+#endif
+
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
@@ -69,10 +75,12 @@ const OPTIONS rsa_options[] = {
     {"traditional", OPT_TRADITIONAL, '-',
      "Use traditional format for private keys"},
 
+#ifndef OPENSSL_NO_RC4
     OPT_SECTION("PVK"),
     {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
     {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
     {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
+#endif
 
     OPT_PROV_OPTIONS,
     {NULL}
@@ -90,7 +98,7 @@ int rsa_main(int argc, char **argv)
     int private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
     int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-    int pvk_encr = 2;
+    int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
     OPTION_CHOICE o;
     int traditional = 0;
     const char *output_type = NULL;
diff --git a/apps/x509.c b/apps/x509.c
index a82682bc11..5de25c1e2c 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -755,7 +755,6 @@ int x509_main(int argc, char **argv)
                     goto end;
                 }
                 BIO_printf(out, "Modulus=");
-#ifndef OPENSSL_NO_RSA
                 if (EVP_PKEY_is_a(pkey, "RSA")) {
                     BIGNUM *n;
 
@@ -763,16 +762,14 @@ int x509_main(int argc, char **argv)
                     EVP_PKEY_get_bn_param(pkey, "n", &n);
                     BN_print(out, n);
                     BN_free(n);
-                } else
-#endif
-#ifndef OPENSSL_NO_DSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) {
-                    const BIGNUM *dsapub = NULL;
-                    DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL);
+                } else if (EVP_PKEY_is_a(pkey, "DSA")) {
+                    BIGNUM *dsapub;
+
+                    /* Every DSA key has an 'pub' */
+                    EVP_PKEY_get_bn_param(pkey, "pub", &dsapub);
                     BN_print(out, dsapub);
-                } else
-#endif
-                {
+                    BN_free(dsapub);
+                } else {
                     BIO_printf(out, "Wrong Algorithm type");
                 }
                 BIO_printf(out, "\n");