And is there a way to disable this check, other than $-w = false?

An explicit check to determine if a cert matches a private key is quite
useful, such as determining which of the 3 certs in a PEM file match the
private key. In such cases, raising a warning is inappropriate. I am
calling the API so I can tell if it's the right key for a specific
cert... why should I get this warning?

This smells like a hack :-(

If somehow a response of Qfalse is considered "dangerous", raising an
exception would be more appropriate, easier to deal with by the caller,
and would also require explicit rescuing.


static VALUE
ossl_x509_check_private_key(VALUE self, VALUE key)
{
    X509 *x509;
    EVP_PKEY *pkey;

    /* not needed private key, but should be */
    pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
    GetX509(self, x509);
    if (!X509_check_private_key(x509, pkey)) {
        OSSL_Warning("Check private key:%s", OSSL_ErrMsg()); /* <---why? */
        return Qfalse;
    }

    return Qtrue;
}


Btw, this is my workaround:

module OpenSSL
    module X509
        class Certificate
            def check_private_key?(k)
                w = $-w
                $-w = false
                ok = check_private_key(k)
                $-w = w
                ok
            end
            def check_private_key!(k)
                raise "key doesn't match the cert!" unless check_private_key?(k)
                self
            end
        end
    end
end