Order of providers breaks my keymgmt

Jakob Bohm jb-openssl at wisemo.com
Mon Jan 17 22:08:58 UTC 2022 

On 17/01/2022 09:49, Tomas Mraz wrote:
> On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
>> Hi,
>> I successfully implemented OpenSSL v3 provider which provides store
>> and keymgmt and I can use it to sign a cms with the following
>> command:
>>
>> openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
>> default
>>
>> However when I swap the order of providers (in the real world
>> scenario
>> the providers are configured through the configuration file), i.e.
>>
>> openssl cms -sign -signer myprov:cert=0014 -provider default -
>> provider myprov
>>
>> the command stops working.
>>
>> I return the private key from the store through the reference:
>>
>> int construct_ec_key(LOADER_CTX *myloader, OSSL_CALLBACK *object_cb,
>> void *object_cbarg) {
>>      static const int object_type = OSSL_OBJECT_PKEY;
>>      static const char data_type[] = "EC";
>>      KEYREF ref = { 0, };
>>      OSSL_PARAM objparams[] = {
>>          OSSL_PARAM_int(OSSL_OBJECT_PARAM_TYPE, (int *)&object_type),
>>          OSSL_PARAM_octet_string(OSSL_OBJECT_PARAM_REFERENCE, &ref,
>> sizeof(ref)),
>>          OSSL_PARAM_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, (char
>> *)data_type, COUNTOF(data_type) - 1),
>>          OSSL_PARAM_END,
>>      };
>>      return object_cb(objparams, object_cbarg);
>> }
>>
>> The try_key_ref function then tries to transform data from the store
>> into the EVP_PKEY. It first looks up a keymgmt that can handle the
>> "EC" data type. Since the default provider is the first one that can
>> do that it is selected. It then tries to export data from my keymgmt
>> and import it into the selected default keymgmt. But obviously I
>> can't
>> export the private key and the operation fails.
> We need to add a fallback in the try_key_ref() to try to fetch the
> keymgmt from the provider of the store if the key is unexportable.
> Could you please open an issue?
>
>
>> When my provider is activated before the default one then everything
>> works because the EVP_PKEY is constructed from my keymgmt.
>>
>> What am I doing wrong? Shouldn't OpenSSL first try to construct
>> EVP_PKEY from the provider it actually returned the data? Is there a
>> way to force OpenSSL to use the specified provider (some property
>> "provider=myprov")?
> You can set a default property query in the configuration file with
> "?provider=myprov" as a workaround. That way your provider will be
> preferred for the operations. However it might have some unwanted and
> unexpected consequences.
>
Please, this is clearly a bug.  When the input specifies a specific
providerin the key/cert reference ("-signer myprov:cert=0014"), it
is a serious bug for the code to ignore that and query other
providers from the general priority list.  Ditto when a cert storage
provider identifies a key, that provider should get first chance to
find/provide thekey.

Enjoy,


Jakob Bohm

-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list