provider: add OpenSSL::Provider#add_conf_parameter

rhenium · rhenium · commit 3b0b74adc673 · 2025-04-30T19:20:58.000+09:00
Expose OSSL_PROVIDER_add_conf_parameter() for OpenSSL 3.5. This allows
setting parameters for an OpenSSL provider directly from Ruby code.

Currently, configuring providers requires a configuration file and
setting the OPENSSL_CONF environment variable before OpenSSL is
initialized.
diff --git a/ext/openssl/ossl_provider.c b/ext/openssl/ossl_provider.c
@@ -184,6 +184,30 @@ ossl_provider_inspect(VALUE self)
                       rb_obj_class(self), OSSL_PROVIDER_get0_name(prov));
 }
 
+#if OSSL_OPENSSL_PREREQ(3, 5, 0)
+/*
+ * call-seq:
+ *    provider.add_conf_parameter(name, value) -> nil
+ *
+ * Sets the provider configuration parameter _name_ to _value_. Both name and
+ * value must be given as strings.
+ *
+ * See the documentation of the provider for possible parameters. See also the
+ * man page OSSL_PROVIDER_add_conf_parameter(3).
+ */
+static VALUE
+ossl_provider_add_conf_parameter(VALUE self, VALUE name, VALUE value)
+{
+    OSSL_PROVIDER *prov;
+
+    GetProvider(self, prov);
+    if (OSSL_PROVIDER_add_conf_parameter(prov, StringValueCStr(name),
+                                         StringValueCStr(value)) != 1)
+        ossl_raise(eProviderError, "OSSL_PROVIDER_add_conf_parameter");
+    return Qnil;
+}
+#endif
+
 void
 Init_ossl_provider(void)
 {
@@ -202,6 +226,9 @@ Init_ossl_provider(void)
     rb_define_method(cProvider, "unload", ossl_provider_unload, 0);
     rb_define_method(cProvider, "name", ossl_provider_get_name, 0);
     rb_define_method(cProvider, "inspect", ossl_provider_inspect, 0);
+#if OSSL_OPENSSL_PREREQ(3, 5, 0)
+    rb_define_method(cProvider, "add_conf_parameter", ossl_provider_add_conf_parameter, 2);
+#endif
 }
 #else
 void
diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
@@ -70,6 +70,27 @@ def test_openssl_legacy_provider
     end;
   end
 
+  def test_add_conf_parameter
+    with_openssl <<-'end;'
+      prov = OpenSSL::Provider.load("null")
+      assert_raise(TypeError) { prov.add_conf_parameter("foo", nil) }
+    end;
+
+    # This assumes that ML-DSA is provided by the "default" provider, which
+    # may not always be the case.
+    # TODO: OpenSSL::PKey should allow specifying the provider to use
+    return if OpenSSL.fips_mode
+    with_openssl <<-'end;'
+      pkey = OpenSSL::PKey.generate_key("ML-DSA-87")
+      out_a = pkey.private_to_der
+      prov = OpenSSL::Provider.load("default")
+      prov.add_conf_parameter("ml-dsa.output_formats", "seed-only")
+      out_b = pkey.private_to_der
+      omit "ML-DSA not provided by the \"default\" provider?" if out_a == out_b
+      assert_not_equal(out_a, out_b)
+    end;
+  end if openssl?(3, 5, 0)
+
   private
 
   # this is required because OpenSSL::Provider methods change global state
