Discarding the const from EVP_PKEY_get0_RSA() and EVP_PKEY_get0_EC_KEY()

[mspncp]

The code base in my company (which was ported from 1.0.2 to 1.1.1 not too long ago) still has many locations where EVP_PKEY_get0_RSA() and EVP_PKEY_get0_EC_KEY() are used to access the lower level RSA resp. EC_KEY api. The plan is to migrate those locations to EVP in the future, but currently I need the code just to compile as it is, without too many changes.

Porting to 3.1, I get compiler errors because the pointers returned by EVP_PKEY_get0_*() have been constified. However, a non-const pointer is required to call RSA_{public,private}_{encrypt,decrypt}() or RSA_{sign,verify}_*().

Looking at the following comments, which where added by @mattcaswell in commit 5dc6489, it seems to be safe to discard the const, because the signing and verifying operations don't modify the keys. At least this seems to hold as long as the EVP_PKEY contains a native legacy key and not a provided (third-party?) key.

openssl/crypto/rsa/rsa_pmeth.c

Lines 142 to 146 in 66f61ec

	* Discard const. Its marked as const because this may be a cached copy of
	* the "real" key. These calls don't make any modifications that need to
	* be reflected back in the "original" key.
	*/
	RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey);

openssl/crypto/ec/ec_pmeth.c

Lines 110 to 115 in 66f61ec

	/*
	* Discard const. Its marked as const because this may be a cached copy of
	* the "real" key. These calls don't make any modifications that need to
	* be reflected back in the "original" key.
	*/
	EC_KEY *ec = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);

Is it true that it is safe to discard the const for low level signing operations also in application code under the assumption that only OpenSSL providers (default, fips, legacy) are used?

RSA *rsa = (RSA*)EVP_PKEY_get0_RSA(rsaKey);
EC_KEY *ec =(EC_KEY*)EVP_PKEY_get0_EC_KEY(ecKey);

[mattcaswell]

Yes it should be fine. The main point to realise is that any changes made to a low level key won't be reflected back in the provider side key. I haven't gone through the various RSA_* functions to see why they are currently non-const - but it is likely to be related to caching of BN_BLINDING. Just don't go making changes to the various params p, q, etc and expect those updates to be reflected back in the provider side key.