"Downgrade" provider-native keys to legacy where needed

[openssl.git] / crypto / pkcs7 / pk7_lib.c

diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 797d1d2c25f8c6fad83a44138bfd7efe005e2161..d891ca22e8db608a65065f7e3229a1991dd0e6c6 100644 (file)
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -319,6 +319,17 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
           ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
         goto err;
 
+    /*
+     * TODO(3.0) Adapt for provider-native keys
+     * Meanwhile, we downgrade the key.
+     * #legacy
+     */
+    if (!evp_pkey_downgrade(pkey)) {
+        PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET,
+                 PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+        goto err;
+    }
+
     /* lets keep the pkey around for a while */
     EVP_PKEY_up_ref(pkey);
     p7i->pkey = pkey;