WIP: apps: Switch to using OSSL_STORE for loading keys, certs, ...#7390
WIP: apps: Switch to using OSSL_STORE for loading keys, certs, ...#7390levitte wants to merge 10 commits intoopenssl:masterfrom
Conversation
|
Richard Levitte wrote:
This makes all the format specifiers largely irrelevant, except for
the ENGINE format when a key is given as a key ID only. However, with
the engine loader, it's possible to change this:
-engine {engineid} -key {keyid} -keyformat ENGINE
To this:
-key engine://{engineid}/{keyid}
[SNIP]
Proposed modification is not store specific.
Let me quote in brief from PKIX-SSH manual
("http://securebox.termoneplus.com/man5/ssh_config.5.html") for option
IdentityFile.
(1) If file name starts with prefix ‘engine:’ instead from file identity
load is redirected to “loadable cryptographic module” (engine).
Name format is engine:{engineid}:{keyid} using syntax above.
(2) Prefix “store:” could be used if cryptographic library supports
ossl_store(7) functionality.
In such case name format is store:{uri}. Engine if applicable is encoded
in URI-scheme.
Second case is more generic. It is store related as it allows use of
URIs not supported by engine.
For instance based on store functionality PKIX-SSH could use directly as
identify key and certificates stored in PKCS#12 file (side effect).
Without store user should unpack (extract) PKCS#12 file into text file
(PEM format).
Otherwise there is no big difference for PKIX-SSH:
(1) ssh ... -i engine:e_nss:{keyid} vs
(2) ssh ... -i store:nss:{keyid}
Remark: in both cases engine require explicit configuration.
And one note more: {engineid}/{keyid} is not _in store URI format._ You
know engine , you know keyid, but you don't know how to build store URI.
It is engine specific and is more one direction process: URI ->
{{engineid}, {keyid}, {extras...}}.
Regards,
Roumen Petrov
|
|
Ah, there's a precedent for a engine: scheme. Sure, I can use that instead. Why someone has implemented a store: scheme is beyond me, though. Does that mean that if I want to express a file name in uri form, I would have to write |
|
Richard Levitte wrote:
Ah, there's a précédent for a engine: scheme. Sure, I can use that instead.
Why someone has implemented a store: scheme is beyond me, though. Does that mean that if I want to express a file name in uri form, I would have to write `store:file:///home/levitte/foo.pem`?
So I use prefix:data, whre prefix is engine or store just to avoid
failback case into code.
There is no reason OpenSSL to use such format.
Why isn't `file:///home/levitte/foo.pem` enough? I cannot see why we should support such a contraption...
Yep . Support of "Store URI" as input source should be enough . Perhaps
if store fails with "invalid scheme" then code could try to open file
(failback case).
Drawback of "Store URI" is that engine may not be loaded.
Work around is to keep "engine" argument.
Regards,
Roumen Petrov
|
The current file loader does this already, i.e. it defaults to |
The proper workaround is to do what I do in this PR, i.e. define a |
|
Please do not start using an unregistered URI scheme: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml |
|
You make a good point. Earlier on, I was think that "nah, it's just private to the openssl app", and that doesn't quite fit the need to registration, and I quote from RFC 7595 section 4 "Guidelines for Provisional URI Scheme Registration":
But seeing that PKIX-SSH uses the same scheme, and uses a different syntax to boot, that might be qualification enough to make a provisional registration after all. (I don't see it ever changing status to something more |
levitte
force-pushed
the
apps-switch-to-store
branch
from
45651b9 to
cd85f3f
Compare
|
Code updated to use |
|
Apparently, I hadn't completed what I said. Now fixed, and tests added. |
|
Finally, this builds and tests fine. I will fix the docs, then it will be time for a review |
|
Richard Levitte wrote:
Apparently, I hadn't completed what I said. Now fixed, and tests added.
Perhaps in next weeks :-( I could find time to continue discussion.
Regards,
Roumen
|
This capability existed internally, and is now made public.
The prompt includes the URI, to make it clear which object needs a pass phrase.
This involves exposing two pvkfmt.c functions, but only internally.
This helps load keys with the following scheme:
engine:{engineid}:{keyid}
This is legacy, but added for the time being to support keys given to
the application like this:
-engine {engineid} -key {keyid} -keyform ENGINE
This makes all the format specifiers largely irrelevant, except for
the ENGINE format when a key is given as a key ID only. However, with
the engine loader, it's possible to change this:
-engine {engineid} -key {keyid} -keyformat ENGINE
To this:
-key engine:{engineid}:{keyid}
We retain the ENGINE format for the sake of compatibility. All other
input formats are simply ignored. Note that output formats is a
different story.
Fixes openssl#1963
This adds a bit of functionality in ossltest, so it can now be used to load PEM files. It takes the file name as key ID, but just to make sure faults aren't ignored, it requires all file names to be prefixed with 'ot:'.
levitte
force-pushed
the
apps-switch-to-store
branch
from
c055e63 to
34d8735
Compare
|
I'll echo the "please don't use an unregistered URI scheme" comment with its converse: please do support PKCS#11 URIs directly, without them having to be prefixed or mangled. The If you end up with a form that doesn't Just Work for RFC7512 PKCS#11 URIs, please special-case them to use the pkcs11 engine. Thanks. |
|
If you create a proper OSSL_STORE loader that registers the scheme "pkcs11:", then you can use that scheme directly. The "engine:" 'scheme' is an interim construct to allow access via the older ENGINE calls to access keys; |
|
Perfect. Thank you. |
|
Needs a rebase |
mattcaswell
added
the
approval: review pending
Was the scheme ever registered as suggested here? |
No, but can certainly be done. I have the impression that it's not very hard... |
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
I'd also suggest a CHANGES entry might be in order for the change in behaviour of "-inform"
| char engineid[256]; | ||
| size_t engineid_l = q - p; | ||
|
|
||
| strncpy(engineid, p, engineid_l); |
There was a problem hiding this comment.
Using strncpy like this seems incorrect. The point of using strncpy is to not exceed the target buffer size - but you instead pass the string length (which therefore won't copy the '\0') and then manually add \0. So this is likely to go wrong for very large engine URIs.
| engineid[engineid_l] = '\0'; | ||
| e = ENGINE_by_id(engineid); | ||
|
|
||
| keyid = OPENSSL_strdup(q + 1); |
| || !OSSL_STORE_LOADER_set_error(loader, engine_error) | ||
| || !OSSL_STORE_LOADER_set_close(loader, engine_close) | ||
| || !OSSL_STORE_register_loader(loader)) { | ||
| OSSL_STORE_LOADER_free(loader); |
There was a problem hiding this comment.
I wonder if this loader might useful beyond the apps. Does it belong it libcrypto?
There was a problem hiding this comment.
Considering we have declared ENGINE legacy, I dunno how keen I'm on that. But, we could re-evalutate that when I've finished #9389
| } | ||
|
|
||
| ok = load_cert_crl_http(uri, onecert, onecrl); | ||
| return ok; |
There was a problem hiding this comment.
Just return directly without the intermediate ok
| } | ||
| unbuffer(stdin); | ||
| cert = dup_bio_in(format); | ||
| in = dup_bio_in(0); /* Binary work best */ |
There was a problem hiding this comment.
Should use an explicit macro format here...0 is actually FORMAT_UNDEF. The comment suggests you might have meant FORMAT_BINARY...although as far as I can tell with the dup_bio_in function either will do the same thing.
| const OPTIONS crl_options[] = { | ||
| {"help", OPT_HELP, '-', "Display this summary"}, | ||
| {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, | ||
| {"inform", OPT_INFORM, 'F', "DEPRECATED AND IGNORED"}, |
There was a problem hiding this comment.
Not sure there is a need to shout. This will draw attention to this particular option in any "-help" listing, which seems unwarranted. Same comment for other similar occurrences.
| int *matchcount, | ||
| const UI_METHOD *ui_method, | ||
| void *ui_data); | ||
| void *ui_data, const char *uri); |
There was a problem hiding this comment.
The comment above here needs updating
|
|
||
| -key engine:eng:something | ||
|
|
||
| This is a temporary measure until engines have learned to provide an |
There was a problem hiding this comment.
I somehow suspect this won't be temporary and this wording will still be here in 10 years time. Perhaps reword?
| EVP_CIPHER_fetch 4748 3_0_0 EXIST::FUNCTION: | ||
| EVP_CIPHER_mode 4749 3_0_0 EXIST::FUNCTION: | ||
| OSSL_STORE_attach 4750 3_0_0 EXIST::FUNCTION: | ||
| OSSL_STORE_LOADER_set_attach 4751 3_0_0 EXIST::FUNCTION: |
There was a problem hiding this comment.
These functions don't seem to be documented.
| ok(run(app(["openssl", "rsa", "-text", "-noout", @pubin, | ||
| "-in", "engine:ossltest:ot:$file"]))); | ||
| ok(run(app(["openssl", "rsa", "-text", "-noout", @pubin, | ||
| "-in", "engine:ossltest:ot:".to_abs_file($file)]))); |
There was a problem hiding this comment.
Given the extent of the option changes in the apps this seems very light testing
Getting at it now |
levitte
changed the title
|
The more I looked at the branch, the more I realised it's not quite ready for final review. So I put it back in WIP. Comments are still welcome! |
levitte
added
branch: master
|
This is still a WIP but placing a hold so it doesn't end up in OpenSSL 3.0 without a discussion and decision on the points already raised in the feedback. |
|
Automated Ping: This issue is in a state where it requires action by @openssl/omc but the last update was 30 days ago |
|
This is related to #12647 and likely further more recent PRs.. |
|
Isn't this change already implemented in master/3.0? |
Almost, there were nuances that are not caught by @DDvO's changes. |
|
OMC: There is no decision to be made here at this stage. |
|
This is no longer relevant. The feature is already implemented. |
9 participants
This makes all the format specifiers largely irrelevant, except for
the ENGINE format when a key is given as a key ID only. However, with
the engine loader, it's possible to change this:
To this:
We retain the ENGINE format for the sake of compatibility. All other
input formats are simply ignored. Note that output formats is a
different story.
Fixes #1963