EXPERIMENTAL: remove all the legacy bits from a EVP_PKEY#10797
EXPERIMENTAL: remove all the legacy bits from a EVP_PKEY#10797levitte wants to merge 6 commits intoopenssl:masterfrom
Conversation
|
Among functions where we have almost no support for provider only keys is |
|
I just added Incidently, I looked into some of them that took me by surprise. |
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
3 times, most recently
from
28ecfcf to
a55dae9
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
a55dae9 to
249cfc1
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
2 times, most recently
from
5ff196e to
75596c7
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
75596c7 to
1254197
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
3 times, most recently
from
ad9448f to
2a6b1c0
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
3 times, most recently
from
a500ab3 to
b4d37a7
Compare
|
#11126 was a bit of a surprise... so it turns out that there's code in a few subsystems that are bypassing other central subsystems like EVP and ASN1 and call their backends directly, so weren't at all caught by this experiment (yet). CRMF seems to be one of them, I suspect CMS and a couple of others are similar. That means that we can expect to find a few "surprises" like that one... |
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
b4d37a7 to
b5cf9ca
Compare
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
0fe5acf to
cc78f8e
Compare
|
All the PRs that were identified here are now merged, so a rebase was in order. I still expects to see failures, but not quite as many. I also have another experiment in the making that specifically targets the sub-systems |
|
Closing this PR, as it seems to have served its purpose. Some of the failures are still potentially there, but we do not need to do explicit deassignment of the legacy part of an EVP_PKEY to trigger them any more, as the key generation code is now serving us with such EVP_PKEYs and triggering code that hasn't been adapted for such keys yet. |
|
Resurrecting this branch, to test #11422. Throw everything I have at it, basically... |
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
cc78f8e to
627490a
Compare
This is a function that removes all the legacy bits from an EVP_PKEY.
levitte
force-pushed
the
experiment-deassign-legacy-key
branch
from
627490a to
b4824c1
Compare
paulidale
left a comment
paulidale
left a comment
There was a problem hiding this comment.
This looks good -- I'll need to run through it again with a less befuddled mind though.
|
|
||
| /* Make sure it's exported to a provider */ | ||
| { | ||
| void *keydata = NULL; |
There was a problem hiding this comment.
Does this need to be in its own block? The function isn't large and the variables can be declared at the top just as easily.
There was a problem hiding this comment.
Do I have to? Also, experimental, I really don't expect this code to end up in the main source, so really, [shrug]
|
Closing, it doesn't serve its purpose any more (or if it should, it needs to be rewritten entirely) |
3 participants
This adds
EVP_PKEY_deassign(), which removes all the legacy bits from anEVP_PKEY, and adapts a few tests to use this function prior to using the keys.This is currently expected to fail in the CIs, until we have adapted all the
EVP_PKEYfunctions to deal with provider only keys.