Order of providers breaks my keymgmt

Tomas Mraz tomas at openssl.org
Mon Jan 17 08:49:54 UTC 2022 

On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
> Hi,
> I successfully implemented OpenSSL v3 provider which provides store
> and keymgmt and I can use it to sign a cms with the following
> command:
> 
> openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
> default
> 
> However when I swap the order of providers (in the real world
> scenario
> the providers are configured through the configuration file), i.e.
> 
> openssl cms -sign -signer myprov:cert=0014 -provider default -
> provider myprov
> 
> the command stops working.
> 
> I return the private key from the store through the reference:
> 
> int construct_ec_key(LOADER_CTX *myloader, OSSL_CALLBACK *object_cb,
> void *object_cbarg) {
>     static const int object_type = OSSL_OBJECT_PKEY;
>     static const char data_type[] = "EC";
>     KEYREF ref = { 0, };
>     OSSL_PARAM objparams[] = {
>         OSSL_PARAM_int(OSSL_OBJECT_PARAM_TYPE, (int *)&object_type),
>         OSSL_PARAM_octet_string(OSSL_OBJECT_PARAM_REFERENCE, &ref,
> sizeof(ref)),
>         OSSL_PARAM_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, (char
> *)data_type, COUNTOF(data_type) - 1),
>         OSSL_PARAM_END,
>     };
>     return object_cb(objparams, object_cbarg);
> }
> 
> The try_key_ref function then tries to transform data from the store
> into the EVP_PKEY. It first looks up a keymgmt that can handle the
> "EC" data type. Since the default provider is the first one that can
> do that it is selected. It then tries to export data from my keymgmt
> and import it into the selected default keymgmt. But obviously I
> can't
> export the private key and the operation fails.

We need to add a fallback in the try_key_ref() to try to fetch the
keymgmt from the provider of the store if the key is unexportable.
Could you please open an issue?


> When my provider is activated before the default one then everything
> works because the EVP_PKEY is constructed from my keymgmt.
> 
> What am I doing wrong? Shouldn't OpenSSL first try to construct
> EVP_PKEY from the provider it actually returned the data? Is there a
> way to force OpenSSL to use the specified provider (some property
> "provider=myprov")?

You can set a default property query in the configuration file with 
"?provider=myprov" as a workaround. That way your provider will be
preferred for the operations. However it might have some unwanted and
unexpected consequences.

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list