Implement domparam and key generation#10289
Merged
openssl-machine merged 5 commits intoopenssl:masterfrom Mar 12, 2020
Merged
Conversation
richsalz
reviewed
Oct 29, 2019
levitte
changed the title
levitte
changed the title
slontis
reviewed
Nov 7, 2019
slontis
reviewed
Nov 7, 2019
levitte
changed the title
levitte
changed the title
levitte
changed the title
2 tasks
levitte
changed the title
Member
Author
|
I just tried a merge of this with #10390, #10391 and #10394, and finally got what I wanted, provider backed key generation, as well as PEM output (through provided serializer): |
Contributor
|
That is very very cool! |
levitte
changed the title
levitte
changed the title
levitte
changed the title
Member
Author
|
I put this back in WIP. It needs DH and DSA implementations as well to be somewhat complete. |
slontis
previously approved these changes
Mar 10, 2020
levitte
added
approval: done
Member
|
Something bad has happened in travis. |
Contributor
That sounds like the title for a great horror movie. :) |
Member
|
It is just a generated file issue with libcrypto.num. |
levitte
commented
Mar 11, 2020
levitte
removed
the
approval: done
levitte
changed the title
levitte
changed the title
levitte
added
the
approval: review pending
Member
Author
Member
Author
|
Even Travis seems happy |
levitte
added
approval: done
slontis
added
approval: ready to merge
We introduce these dispatched functions:
- OP_keymgmt_gen_init() to initialize the key object generation.
- OP_keymgmt_gen_set_template() to set a template for key object
generation. The template is another key object, for example one
with domain parameters.
- OP_keymgmt_gen_set_params() to set other key object generation
parameters.
- OP_keymgmt_gen_settable_params() to find out what settable
parameters there are.
- OP_keymgmt_gen() to perform the key object generation.
- OP_keymgmt_gen_cleanup() to clean up the key object generation.
Internal function for easy and consistent use of these ddispatched
functions are added.
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#10289)
The following functions are added: EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl() EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen() These functions are made to work together with already existing domparams and key generation functionality: EVP_PKEY_CTX_new_provided(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc. Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#10289)
This includes added support in legacy controls Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#10289)
There was a misunderstanding what it should return. It should return 0 on internal error, but 1 even if the thing it tests fails (the error is determined by |t->err|). Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#10289)
…result Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#10289)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This turned out to be a fairly big ordeal. To begin with, our libcrypto<->provider interface couldn't support the way things are done in the EVP_PKEY API in a sane manner, so this needed to be redesigned a bit.
Furthermore, domparam and key generation use an application callback to give the user some feedback when the key is created, and that support needs to be extended to providers. However, it would be very unsafe to just pass some random function pointer directly to the provider methods, so with some inspiration from
BN_GENCB, I created a new callback type that is used by libcrypto to pass the necessary data to the provider, which then ends up calling an upcall that knows exactly how to handle that structure.Please read the individual commits for more information.
NOTE: apart from making a key that can be used immediately, this functionality is of little use because we have no way of extracting key data to create PEM files from. That's a matter for another PR, and is also the reason why this PR is currently WIP / draft.