search

arun11299 / cpp-jwt

JSON Web Token library for C++
MIT License
395 stars 111 forks source link

Warnings when compiling examples with OpenSSL 3 #100

Open kiner-shah opened 1 year ago

kiner-shah commented 1 year ago

Library version: v1.4 OS: Linux Ubuntu 22.04 OpenSSL version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Command: 

cmake -DCPP_JWT_USE_VENDORED_NLOHMANN_JSON=OFF -DCPP_JWT_BUILD_TESTS=OFF ..
make

Please check the attached openssl3_warnings_log.txt.

halfgaar commented 9 months ago

The issues reported seem all or mostly related to:

Deprecated low-level key parameter getters

A uniqued list of errors:

cpp-jwt/include/jwt/algorithm.hpp:288:23: warning: ‘void EC_KEY_free(EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:113:44: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:119:26: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:264:42: warning: ‘ec_key_st* EVP_PKEY_get1_EC_KEY(EVP_PKEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
cpp-jwt/include/jwt/impl/algorithm.ipp:271:58: warning: ‘const EC_GROUP* EC_KEY_get0_group(const EC_KEY*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]

The alternative to EC_KEY_get0_group seems is to use EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[]). But, it's not fully clear to me and and I don't have a dev machine with OpenSSL 3 handy right now, to try.

When fixed, it needs some ifdef logic, because OpenSSL 1.1 doesn't have the required functions.

arun11299 commented 9 months ago

@kiner-shah I know it's late :) but is it a possiblity that you can submit a PR for the change ?

halfgaar commented 9 months ago

If @kiner-shah doesn't, I will probably, sooner or later. We use the lib in several places. I have experience with the OpenSSL API and it doesn't seem that hard to do.

Interestingly, if the use of the low-level attributes of the keys is discouraged, I wonder why they are needed?

arun11299 commented 9 months ago

Thanks @halfgaar. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions.

kiner-shah commented 9 months ago

I won't be able to create a PR, really don't have any experience with OpenSSL.

Please feel free to create one @halfgaar.

On Mon, Feb 12, 2024, 2:30 PM Arun Muralidharan @.***> wrote:

Thanks @halfgaar https://github.com/halfgaar. I am rarely touching C++ these days, so not having a lot of bandwidth to fight the build system with different openssl versions.

— Reply to this email directly, view it on GitHub https://github.com/arun11299/cpp-jwt/issues/100#issuecomment-1938267278, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD262XPPICJ6NLWNMA36MXTYTHK4DAVCNFSM6AAAAAAXGVA6ASVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZYGI3DOMRXHA . You are receiving this because you were mentioned.Message ID: @.***>

halfgaar commented 9 months ago

I did some preliminary research @arun11299 . The deprecation is all in the elliptical curve functions, in getting the size of the big number of the signature. It's calculated manually, like this:

unsigned int degree = EC_GROUP_get_degree(
        EC_KEY_get0_group(ec_key.get()));

    unsigned int bn_len = (degree + 7) / 8;

Why is that? If I look at other code on the internet, they don't do that.

If I disable all the EC code, the library still works to verify our RSA keys.