Migrating EC_KEY "deprecated low-level key parameter setters" from OpenSSL 1.1 to OpenSSL 3

[AustinMayerhofer]

When following the migration guide, I'm running into difficulties finding replacements for some of the deprecated low-level key parameter setters (EC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(), etc.)

Take the code:

ec_group = EC_KEY_get0_group(other_ec_key);
ec_key = EC_KEY_new();
EC_KEY_set_group(ec_key, ec_group);
o2i_ECPublicKey(&ec_key, &encoded_key, encoded_key_len);
EC_KEY_set_private_key(ec_key, bn);

The migration guide says to use EVP_PKEY_fromdata(), does that apply in this situation? Use EVP_PKEY_KEY_PARAMETERS for the "selection" arg and "group" and "priv" for params?

Assuming the above, that begs the question about the call to o2i_ECPublicKey():

When I asked for a replacement for o2i_ECPublicKey, #23820 said to use EVP_PKEY_set1_encoded_public_key(), am I able to do that after calling EVP_PKEY_fromdata(), given the migration guide says "Keys should be immutable once they are created"?

Thanks for any help or a point in the right direction.

[t8m]

There are two options. Either you can use the encoded public key that you passed into o2i_ECPublicKey() with EVP_PKEY_fromdata() directly - use the OSSL_PKEY_PARAM_PUB_KEY param. Or you can actually call EVP_PKEY_set1_encoded_public_key() on an EVP_PKEY with just the parameters (i.e., the EC group name) set. This is an exception from the immutability rule (there is just should in the sentence).