-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL3 provider support #540
base: master
Are you sure you want to change the base?
Conversation
* Missing function declarations * Incorrect automake rule
* return values for non-void return * provider lib compiles only if OpenSSL3 * obj list for MS builds
* unused variables * signedness in loops * do not compile provider library if not OpenSSL3
* Revert autoconfig required version number
* Adding basic OpenSSL 3 provider capabilities * Remove unwanted file * Remove unwanted files * Correcting typos * Correcting CI check failures * Missing function declarations * Incorrect automake rule * Correcting CI errors * return values for non-void return * provider lib compiles only if OpenSSL3 * obj list for MS builds * Correcting CI issues * unused variables * signedness in loops * do not compile provider library if not OpenSSL3 * Correcting accidental change * Revert autoconfig required version number * Fix DES reference * Revert configure.ac accidental changes * Deprecated algorithm warning corrected
…into feature/provider
* Adding basic OpenSSL 3 provider capabilities * Remove unwanted file * Remove unwanted files * Correcting typos * Correcting CI check failures * Missing function declarations * Incorrect automake rule * Correcting CI errors * return values for non-void return * provider lib compiles only if OpenSSL3 * obj list for MS builds * Correcting CI issues * unused variables * signedness in loops * do not compile provider library if not OpenSSL3 * Correcting accidental change * Revert autoconfig required version number * Fix DES reference * Revert configure.ac accidental changes * Deprecated algorithm warning corrected * Fix module unload crash, add some tests * Test fix and error reporting fixes * Fix Windows modules check * Fix Mac compile errors
This PR is too large to merge as a single unit. Please split it into individual features, beginning with the libp11 API extension, and submit each feature as a separate pull request. |
@patzol768 Are you still interested in getting this feature merged? It would be great to have it merged, but there are way too many unrelated changes in this PR. I'm fine with merging an unstable new feature as long as it doesn't break the existing functionalities, which are used for business-critical applications. Therefore, any changes to the existing code need to be justified, reviewed and thoroughly tested. |
Nice to see mods to libp11 to use OpenSSL 3 providers as engines will be deprecated some time soon. There is at least one other project that is developing a PKCS11 provider: https://github.com/latchset/pkcs11-provider It is quite active with multiple contributors. I would suggest that any names for modules or env names or used in opensc,cnf files, include "libp11" or "LIBP11"in the names. For example The name I am building on Ubuntu-24.04 with OpenSSL 3.3.2 to install in
The opensc-debug.log shows opensc-pkcs11.so was loaded, and accessed the card and last PKCS11 line was: Looks like OpenSSL is expecting pkcs11prov to have a store loader |
And a rebase of this PR would be good. |
I have gotten further using
This appears as the provider is calling the pkcs11 module to do the SHA256 digest for the CSR.
And that is as much of the opensc-debug.log that has been written to disk. What looks strange is extra calls to The OpenSC PKCS11 module lists these mechanisms, note that since there is no "hw" bit set, the pkcs11 module is doing the operation in software, i.e. |
Using OpenSSL 3.3.1 and adding |
You mean - adding to the pkcs11 provider section? Perhaps, posting here a direct quote from your |
@mouse07410, I just got it working once and need to clean up what I did, as the I basically followed: The build built the engine and installed in So it looks like this PR adds I spent the last few days seeing if this PR works or not, and it works for the case, and it looks like it could easily be used by others libp11 users to convert from engine to provider. And it looks like using this provider with some simple additional mods to libp11 it could also support Ed25519, X25519 Ed448 and X448 too. See OpenSC/OpenSC#3090 The changed to opensc.cnf looked like:
And run this command where:
|
Hi Everyone,
here are some changes to begin supporting OpenSSL3 providers.
Key generation, sign + verify, encrypt + decrypt are available, though requires a lot-lot-lot of additional testing and maybe some fixes. Please check the prov-openssl.sh in tests. I have no access to real HSM devices, hence everything was made with Opencrytoki's SW token.