pkcs11-tool to use OpenSSL libctx #2715
Conversation
|
https://github.com/simo5 can you have a look at this PR. And if you want, add to #2712? |
|
I am in favor of this if you find it useful, but pkcs11-tool is an end-user applciation, so it can definitely use the default context as its use will never conflict with anything else (except bad libraries perhaps). |
Requested OpenSC#2715 (review) On branch ossl_lib_ctx-pkcs11-tool Changes to be committed: modified: src/tools/pkcs11-tool.c
This is in addition to "Introduce use of custom ossl libctx with OpenSSL >= 3.0" OpenSC#2712 pkcs11-tool uses some functions found in libopensc, but does not create a sc_context like other OpenSC tools as the pkcs11 module can be any pkscs11 module. There is one OpenSSL function "d2i_PUBKEY_bio" that does not have an equivalent "d2i_PUBKEY_ex_bio" in 3.0.8. It is listed in OpenSSL master. See: openssl/openssl#18427 On branch ossl_lib_ctx-pkcs11-tool Changes to be committed: modified: src/tools/pkcs11-tool.c
Requested OpenSC#2715 (review) On branch ossl_lib_ctx-pkcs11-tool Changes to be committed: modified: src/tools/pkcs11-tool.c
Jakuje
left a comment
Jakuje
left a comment
There was a problem hiding this comment.
two minor comments, but generally looks ok. I did not check though all the OpenSSL uses.
src/tools/pkcs11-tool.c
Outdated
| #endif | ||
|
|
||
| #if OPENSSL_VERSION_NUMBER >= 0x30000000L | ||
| if (!osslctx) { |
There was a problem hiding this comment.
we are in main. Is this check needed? I think in this case, it will be always true, unless we will introduce some wild goto logic. The same for the default_provider check below
There was a problem hiding this comment.
The tests could be removed if you want.
src/tools/pkcs11-tool.c
Outdated
| util_fatal("cannot parse EC_PARAMS"); | ||
| EVP_PKEY_assign_EC_KEY(pkey, ec); | ||
| #else | ||
| /* TODO needs debugging */ |
There was a problem hiding this comment.
does this mean that it does not work now or something else? The comment is not much self-explanatory.
There was a problem hiding this comment.
It was meant that I did not test this and pkcs11-tool --test does not test ECDSA. I will try pkcs11-tool -sign with an ec key and verify the signature.
Address comments On branch ossl_lib_ctx-pkcs11-tool Changes to be committed: modified: pkcs11-tool.c
dengert
force-pushed
the
ossl_lib_ctx-pkcs11-tool
branch
from
f216aa8 to
e183a0c
Compare
|
I addressed the two comments from above and forced pushed an update. Also tested with OpenSSL 3.0.8 and development built with "no-deprecated": |
Requested #2715 (review) On branch ossl_lib_ctx-pkcs11-tool Changes to be committed: modified: src/tools/pkcs11-tool.c
3 participants
This is in addition to "Introduce use of custom ossl libctx with OpenSSL >= 3.0" #2712
pkcs11-tool uses some functions found in libopensc, but does not create a sc_context like other OpenSC tools as the pkcs11 module can be any pkscs11 module.
There is one OpenSSL function "d2i_PUBKEY_bio" that does not have an equivalent "d2i_PUBKEY_ex_bio" in 3.0.8. It is listed in OpenSSL master. See: openssl/openssl#18427
On branch ossl_lib_ctx-pkcs11-tool
Changes to be committed:
modified: src/tools/pkcs11-tool.c
Checklist