Operating on provider keys causes an immediate crash

[grawity]

Regardless of which provider is used (tpm2 and pkcs11 were both tested, the latter using this workaround), the loaded keys are unusable as .private? leads to a segfault.

$ ruby -v
ruby 3.3.7 (2025-01-15 revision be31f993d7) [x86_64-linux]
$ openssl version
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)
$ pacman -Q tpm2-openssl pkcs11-provider
tpm2-openssl 1.2.0-1
pkcs11-provider 1.0-1

$ irb -ropenssl
irb> prov = OpenSSL::Provider.load("tpm2")
=> #<OpenSSL::Provider name="tpm2">
irb> key = OpenSSL::PKey.read(File.read("ca.key.tpm"))
=> #<OpenSSL::PKey::RSA:0x00007d16cbe8d370 oid=rsaEncryption>
irb> key.private?
(irb):3: [BUG] Segmentation fault at 0x0000000000000030
ruby 3.3.7 (2025-01-15 revision be31f993d7) [x86_64-linux]

irb> key.private?
(irb):3: [BUG] Segmentation fault at 0x0000000000000030
ruby 3.3.7 (2025-01-15 revision be31f993d7) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0021 p:---- s:0110 e:000109 CFUNC  :private?
c:0020 p:0004 s:0106 e:000105 EVAL   (irb):3 [FINISH]
c:0019 p:---- s:0103 e:000102 CFUNC  :eval
c:0018 p:0020 s:0095 e:000094 METHOD /usr/lib/ruby/3.3.0/irb/workspace.rb:121
c:0017 p:0090 s:0088 e:000087 METHOD /usr/lib/ruby/3.3.0/irb/context.rb:633
c:0016 p:0049 s:0080 e:000079 METHOD /usr/lib/ruby/3.3.0/irb/context.rb:600
c:0015 p:0030 s:0073 e:000072 BLOCK  /usr/lib/ruby/3.3.0/irb.rb:1049
c:0014 p:0024 s:0069 e:000068 METHOD /usr/lib/ruby/3.3.0/irb.rb:1380
c:0013 p:0007 s:0063 e:000062 BLOCK  /usr/lib/ruby/3.3.0/irb.rb:1041
c:0012 p:0024 s:0058 e:000057 BLOCK  /usr/lib/ruby/3.3.0/irb.rb:1120
c:0011 p:0018 s:0054 e:000053 METHOD <internal:kernel>:187
c:0010 p:0004 s:0049 e:000048 METHOD /usr/lib/ruby/3.3.0/irb.rb:1117
c:0009 p:0008 s:0045 e:000044 METHOD /usr/lib/ruby/3.3.0/irb.rb:1040
c:0008 p:0003 s:0041 e:000040 BLOCK  /usr/lib/ruby/3.3.0/irb.rb:1021 [FINISH]
c:0007 p:---- s:0038 e:000037 CFUNC  :catch
c:0006 p:0140 s:0033 E:000208 METHOD /usr/lib/ruby/3.3.0/irb.rb:1020
c:0005 p:0069 s:0022 e:000021 METHOD /usr/lib/ruby/3.3.0/irb.rb:904
c:0004 p:0012 s:0016 e:000015 TOP    /usr/lib/ruby/gems/3.3.0/gems/irb-1.13.1/exe/irb:9 [FINISH]
c:0003 p:---- s:0013 e:000012 CFUNC  :load
c:0002 p:0078 s:0008 E:002700 EVAL   /usr/bin/irb:25 [FINISH]
c:0001 p:0000 s:0003 E:001e30 DUMMY  [FINISH]

-- Ruby level backtrace information ----------------------------------------
/usr/bin/irb:25:in `<main>'
/usr/bin/irb:25:in `load'
/usr/lib/ruby/gems/3.3.0/gems/irb-1.13.1/exe/irb:9:in `<top (required)>'
/usr/lib/ruby/3.3.0/irb.rb:904:in `start'
/usr/lib/ruby/3.3.0/irb.rb:1020:in `run'
/usr/lib/ruby/3.3.0/irb.rb:1020:in `catch'
/usr/lib/ruby/3.3.0/irb.rb:1021:in `block in run'
/usr/lib/ruby/3.3.0/irb.rb:1040:in `eval_input'
/usr/lib/ruby/3.3.0/irb.rb:1117:in `each_top_level_statement'
<internal:kernel>:187:in `loop'
/usr/lib/ruby/3.3.0/irb.rb:1120:in `block in each_top_level_statement'
/usr/lib/ruby/3.3.0/irb.rb:1041:in `block in eval_input'
/usr/lib/ruby/3.3.0/irb.rb:1380:in `signal_status'
/usr/lib/ruby/3.3.0/irb.rb:1049:in `block (2 levels) in eval_input'
/usr/lib/ruby/3.3.0/irb/context.rb:600:in `evaluate'
/usr/lib/ruby/3.3.0/irb/context.rb:633:in `evaluate_expression'
/usr/lib/ruby/3.3.0/irb/workspace.rb:121:in `evaluate'
/usr/lib/ruby/3.3.0/irb/workspace.rb:121:in `eval'
(irb):3:in `<top (required)>'
(irb):3:in `private?'

-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- Machine register context ------------------------------------------------
 RIP: 0x00007d16cb7bdf55 RBP: 0x00007fffdab6f140 RSP: 0x00007fffdab6f108
 RAX: 0x0000000000000000 RBX: 0x0000600ccbf66290 RCX: 0x00007fffdab6f120
 RDX: 0x00007fffdab6f118 RDI: 0x0000000000000000 RSI: 0x0000000000000000
  R8: 0x00007d16e74feac0  R9: 0x0000000000000002 R10: 0x0000000000000018
 R11: 0x00000000ffffffff R12: 0x00007d16cbe8d370 R13: 0x00007d16cbe8d370
 R14: 0x0000000000000000 R15: 0x00007d16e71bb368 EFL: 0x0000000000010206

-- C level backtrace information -------------------------------------------
/usr/lib/libruby.so.3.3(0x7d16e7864962) [0x7d16e7864962]
/usr/lib/libruby.so.3.3(0x7d16e7866dd1) [0x7d16e7866dd1]
/usr/lib/libruby.so.3.3(0x7d16e76b0041) [0x7d16e76b0041]
/usr/lib/libruby.so.3.3(0x7d16e77d4c56) [0x7d16e77d4c56]
/usr/lib/libc.so.6(0x7d16e7353cd0) [0x7d16e7353cd0]
/usr/lib/libcrypto.so.3(RSA_get0_key+0x15) [0x7d16cb7bdf55]
/usr/lib/ruby/3.3.0/x86_64-linux/openssl.so(0x7d16cbc80d36) [0x7d16cbc80d36]
/usr/lib/libruby.so.3.3(0x7d16e7841d37) [0x7d16e7841d37]
/usr/lib/libruby.so.3.3(0x7d16e78496b7) [0x7d16e78496b7]
/usr/lib/libruby.so.3.3(0x7d16e7862e3d) [0x7d16e7862e3d]
/usr/lib/libruby.so.3.3(0x7d16e7841d37) [0x7d16e7841d37]
/usr/lib/libruby.so.3.3(0x7d16e78496b7) [0x7d16e78496b7]
/usr/lib/libruby.so.3.3(0x7d16e7863078) [0x7d16e7863078]
/usr/lib/libruby.so.3.3(0x7d16e784f1d7) [0x7d16e784f1d7]
/usr/lib/libruby.so.3.3(0x7d16e784fab7) [0x7d16e784fab7]
/usr/lib/libruby.so.3.3(rb_catch_obj+0x52) [0x7d16e785a332]
/usr/lib/libruby.so.3.3(0x7d16e7841d37) [0x7d16e7841d37]
/usr/lib/libruby.so.3.3(0x7d16e784c5c5) [0x7d16e784c5c5]
/usr/lib/libruby.so.3.3(0x7d16e7863078) [0x7d16e7863078]
/usr/lib/libruby.so.3.3(0x7d16e771517b) [0x7d16e771517b]
/usr/lib/libruby.so.3.3(0x7d16e7715443) [0x7d16e7715443]
/usr/lib/libruby.so.3.3(0x7d16e7841d37) [0x7d16e7841d37]
/usr/lib/libruby.so.3.3(0x7d16e78496b7) [0x7d16e78496b7]
/usr/lib/libruby.so.3.3(0x7d16e7862e3d) [0x7d16e7862e3d]
/usr/lib/libruby.so.3.3(0x7d16e76b7afc) [0x7d16e76b7afc]
/usr/lib/libruby.so.3.3(ruby_run_node+0x94) [0x7d16e76b9b64]
irb(0x600c94ce108b) [0x600c94ce108b]
/usr/lib/libc.so.6(0x7d16e733d488) [0x7d16e733d488]
/usr/lib/libc.so.6(__libc_start_main+0x8c) [0x7d16e733d54c]
irb(_start+0x25) [0x600c94ce10d5]

[rhenium]

Thank you for reporting! I was able to reproduce it.

It seems that EVP_PKEY_get0{,_RSA}() in OpenSSL 3.0 or later can return NULL even if the pkey has EVP_PKEY_RSA type. Currently this is not checked.

https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-function-mappings