From: Theo Buehler <tb@theobuehler.org>
Subject: Re: relayd: RSA key support only
To: Rafael Sadowski <rafael@sizeofvoid.org>
Cc: tech@openbsd.org
Date: Thu, 5 Mar 2026 08:51:03 +0100

On Thu, Mar 05, 2026 at 08:32:22AM +0100, Rafael Sadowski wrote:
> This prints an appropriate error message if someone does not use an RSA
> keys.

I don't understand relayd code well, but I think this is very late
and only hit when the relay is actually used, no?

I suggested pkey_add() since that's where the keys are added to the
env->sc_pkeys queue and it's the common code after the two
PEM_read_bio_PrivateKey().

> 
> OK?
> 
> Index: ca.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> diff -u -p -r1.50 ca.c
> --- ca.c	5 Mar 2026 07:27:01 -0000	1.50
> +++ ca.c	5 Mar 2026 07:29:19 -0000
> @@ -250,6 +250,9 @@ ca_dispatch_relay(int fd, struct privsep
>  			break;
>  		}
>  
> +		if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
> +			fatalx("%s: key is not a RSA key", __func__);
> +
>  		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
>  			fatalx("%s: invalid relay key", __func__);
>  
>