On 17/01/2022 09:49, Tomas Mraz wrote:
On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
Hi,
I successfully implemented OpenSSL v3 provider which provides store
and keymgmt and I can use it to sign a cms with the following
command:
openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
default
However when I swap the order of providers (in the real world
scenario
the providers are configured through the configuration file), i.e.
openssl cms -sign -signer myprov:cert=0014 -provider default -
provider myprov
the command stops working.
I return the private key from the store through the reference:
int construct_ec_key(LOADER_CTX *myloader, OSSL_CALLBACK *object_cb,
void *object_cbarg) {
static const int object_type = OSSL_OBJECT_PKEY;
static const char data_type[] = "EC";
KEYREF ref = { 0, };
OSSL_PARAM objparams[] = {
OSSL_PARAM_int(OSSL_OBJECT_PARAM_TYPE, (int *)&object_type),
OSSL_PARAM_octet_string(OSSL_OBJECT_PARAM_REFERENCE, &ref,
sizeof(ref)),
OSSL_PARAM_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, (char
*)data_type, COUNTOF(data_type) - 1),
OSSL_PARAM_END,
};
return object_cb(objparams, object_cbarg);
}
The try_key_ref function then tries to transform data from the store
into the EVP_PKEY. It first looks up a keymgmt that can handle the
"EC" data type. Since the default provider is the first one that can
do that it is selected. It then tries to export data from my keymgmt
and import it into the selected default keymgmt. But obviously I
can't
export the private key and the operation fails.
We need to add a fallback in the try_key_ref() to try to fetch the
keymgmt from the provider of the store if the key is unexportable.
Could you please open an issue?
When my provider is activated before the default one then everything
works because the EVP_PKEY is constructed from my keymgmt.
What am I doing wrong? Shouldn't OpenSSL first try to construct
EVP_PKEY from the provider it actually returned the data? Is there a
way to force OpenSSL to use the specified provider (some property
"provider=myprov")?
You can set a default property query in the configuration file with
"?provider=myprov" as a workaround. That way your provider will be
preferred for the operations. However it might have some unwanted and
unexpected consequences.
Please, this is clearly a bug. When the input specifies a specific
providerin the key/cert reference ("-signer myprov:cert=0014"), it
is a serious bug for the code to ignore that and query other
providers from the general priority list. Ditto when a cert storage
provider identifies a key, that provider should get first chance to
find/provide thekey.
Enjoy,
Jakob Bohm
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
