On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
> Hi,
> I successfully implemented OpenSSL v3 provider which provides store
> and keymgmt and I can use it to sign a cms with the following
> command:
>
> openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
> default
>
> However when I swap the order of providers (in the real world
> scenario
> the providers are configured through the configuration file), i.e.
>
> openssl cms -sign -signer myprov:cert=0014 -provider default -
> provider myprov
>
> the command stops working.
>
> I return the private key from the store through the reference:
>
> int construct_ec_key(LOADER_CTX *myloader, OSSL_CALLBACK *object_cb,
> void *object_cbarg) {
> static const int object_type = OSSL_OBJECT_PKEY;
> static const char data_type[] = "EC";
> KEYREF ref = { 0, };
> OSSL_PARAM objparams[] = {
> OSSL_PARAM_int(OSSL_OBJECT_PARAM_TYPE, (int *)&object_type),
> OSSL_PARAM_octet_string(OSSL_OBJECT_PARAM_REFERENCE, &ref,
> sizeof(ref)),
> OSSL_PARAM_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, (char
> *)data_type, COUNTOF(data_type) - 1),
> OSSL_PARAM_END,
> };
> return object_cb(objparams, object_cbarg);
> }
>
> The try_key_ref function then tries to transform data from the store
> into the EVP_PKEY. It first looks up a keymgmt that can handle the
> "EC" data type. Since the default provider is the first one that can
> do that it is selected. It then tries to export data from my keymgmt
> and import it into the selected default keymgmt. But obviously I
> can't
> export the private key and the operation fails.
We need to add a fallback in the try_key_ref() to try to fetch the
keymgmt from the provider of the store if the key is unexportable.
Could you please open an issue?
> When my provider is activated before the default one then everything
> works because the EVP_PKEY is constructed from my keymgmt.
>
> What am I doing wrong? Shouldn't OpenSSL first try to construct
> EVP_PKEY from the provider it actually returned the data? Is there a
> way to force OpenSSL to use the specified provider (some property
> "provider=myprov")?
You can set a default property query in the configuration file with
"?provider=myprov" as a workaround. That way your provider will be
preferred for the operations. However it might have some unwanted and
unexpected consequences.
--
Tomáš Mráz, OpenSSL
