[openssl-dev] [RFC v2 2/2] pem: load engine keys
Richard Levitte
levitte at openssl.org
Thu Dec 1 08:30:32 UTC 2016
James Bottomley <James.Bottomley at HansenPartnership.com> skrev: (1 december 2016 07:36:26 CET)
>On Thu, 2016-12-01 at 01:38 +0100, Richard Levitte wrote:
>>
>> James Bottomley <James.Bottomley at HansenPartnership.com> skrev: (1
>> december 2016 00:42:09 CET)
>> > On Thu, 2016-12-01 at 00:22 +0100, Richard Levitte wrote:
>> > > This patch doesn't fit the rest...
>> >
>> > I'm not quite sure I follow why.
>>
>> It casts bp to const char *. That was for your earlier
>> implementation, wasn't it? It doesn't fit the latest incarnation of
>> your API.
>
>Good catch: a leftover I missed the warning for in the spray of other
>compile information. Apparently the debug-linux-x86_64 target doesn't
>have a -Werror ... I've added it so I should pick a problem like this
>up easily.
The debug config targets create binaries that can easily be run through a debugger, nothing more. What you're looking for is the configuration option --strict-warnings.
>> > > Generally speaking, I am unsure about your solution. It seems
>> > > like hack to fit a specific case where something more general
>> > > could be of greater service to others as well.
>> >
>> > Well, the more adaptable patch set was the previous one that
>> > overloaded the meaning of key_id. This one has a specific bio
>> > mechanism for loading PEM files, so it only really works for
>> > engines that have PEM representable unloaded keys (which, to be
>> > fair, is almost all of them, since even the USB crypto keys have a
>> > wrapped format).
>> >
>> > I've tried to make it as generic as possible, but I am conditioned
>> > to think to my use case: TPM keys. If you give an example of
>> > another use case, it will help me see where it should be more
>> > generic.
>>
>> Among other things, I'd rather not encourage an API that inherently
>> makes the engine<->libcrypto tie even tighter. Also, it puts a
>> requirement on the engine to parse PEM, which is unnecessary.
>>
>> Also, we already have thoughts on loading keys by uri references, and
>> there may be new ideas and formats coming in the future. All this is
>> tied together and solving it one small hack at a time is sub-optimal
>> in the long run.
>>
>> I'll repeat myself again, please have a look at the STORE stuff I'm
>> working on. TPM files could very well serve as a first use case.
>
>That's this new pull request:
>
>https://github.com/openssl/openssl/pull/2011/files
Yes.
>Just so I understand you, you mean register a store handler from the
>engine for the TPM BLOB PEM files so that a reference to the file via
>the store can use the PEM file as an EVP_PKEY?
Essentially, yes.
>That will work, I'm just not clear from the current pull request how
>the store would be integrated with the existing PEM file handler ...
>Will every application have to be modified to use the new store, or
>will you hook it like I did for the engine keys?
Generally speaking, I was thinking that applications would move to use the STORE API.
>The think I'm looking for is to have a TPM PEM key file just work in
>place of a standard RSA private key file.
I get your point. That could be med as a call after the PEM_bytes_read_bio call. At that point, the necessary data for an internal store loading are available. It's still a hack, but if you must...
>
>James
>
>
>> > James
>> >
>> >
>> > > Cheers
>> > > Richard
>> > >
>> > > On November 30, 2016 4:27:49 PM GMT+01:00, James Bottomley <
>> > > James.Bottomley at HansenPartnership.com> wrote:
>> > > > Before trying to process the PEM file, hand it to each of the
>> > > > loaded
>> > > > engines to see if they recognise the PEM guards. This uses the
>> > > > new
>> > > > bio based load key callback, so the engine must be loaded and
>> > > > implement this callback to be considered.
>> > > >
>> > > > Signed-off-by: James Bottomley <jejb at linux.vnet.ibm.com>
>> > > > ---
>> > > > crypto/pem/pem_pkey.c | 4 ++++
>> > > > 1 file changed, 4 insertions(+)
>> > > >
>> > > > diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
>> > > > index 04d6319..e3737f0 100644
>> > > > --- a/crypto/pem/pem_pkey.c
>> > > > +++ b/crypto/pem/pem_pkey.c
>> > > > @@ -85,6 +85,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp,
>> > > > EVP_PKEY
>> > > > **x, pem_password_cb *cb,
>> > > > int slen;
>> > > > EVP_PKEY *ret = NULL;
>> > > >
>> > > > + /* first check to see if an engine can load the PEM */
>> > > > + if (ENGINE_find_engine_load_key(NULL, &ret, (const char
>> > > > *)bp,
>> > > > cb,
>> > > > u) == 1)
>> > > > + return ret;
>> > > > +
>> > > > if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY,
>> > > > bp,
>> > > > cb,
>> > > > u))
>> > > > return NULL;
>> > > > p = data;
>> > >
>> > > --
>> > > levitte at openssl.org
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the openssl-dev
mailing list