Decoder: pkcs11-uri in pem #328
Conversation
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
3 times, most recently
from
7c2f1e8
to
60424ad
Compare
The encoder has to be enabled by setting "pkcs11-module-encode-key-uri-to-pem = true".
Slightly improved but I'm terrible at naming stuff. Suggestions are welcome.
This still needs to be addressed. Dropping the oId and just encoding an UTF8String could also be an option.
Tests showed that I need to loop over all tokens in the decoder. A similar loop is used in the store_fetch function, it could make sense to re-use that code. I added libtasn1 as dependency for generating pem files in the tests. Originally I planed to use ossl asn1parse but it is broken in 3.2.0 (openssl/openssl#22992) |
|
Do we really need this whole ASN.1 dependency when all we are doing is the simplest ASN.1 thing ever? |
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
from
60424ad
to
e880fcc
Compare
|
I removed the dependency, what else needs to be changed? Do you have any opinion about the oId? Should it be removed completely? |
|
Does it need to be an OID? |
|
If OpenSSL expects OIDs (I have not checked) I can provide one from the Red Hat pool, let me know and I can assign. |
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
2 times, most recently
from
cb895df
to
479ff57
Compare
|
It's not necessary to have an OID. I update the code to have a ASN1_VISIBLESTRING instead. |
|
I do not think there is a callback mechanisms that can change the nature of the load. This is basically store(file) -> load(pem) -> decode(URI?) ... And the decode is supposed to return a pkey type, so the only way is to decode(URI?) -> store(URI) This is why this is a "hack" in the end and I was uncertain it would be a good idea. Given we can avoid the use of OIDs and still make it very clear it is a pkcs#11 provider custom format I think I am happy enough. |
The OSSL_STORE returns an EVP_PKEY but the decoder is supposed to call the object_cb with an OSSL_PARAM array. The EVP_PKEY_todata calls the export method which for obvious reasons does not work for private keys. I think calling the p11prov_store_*() is the way to go. |
Ah, that's right! |
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
7 times, most recently
from
49d0fb5
to
9d1ac77
Compare
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
2 times, most recently
from
1bafaff
to
dc8d994
Compare
|
I gave a build of this PR to some other devs. They found out that I forgot to add the encoder/decoder for Edwards curves. I added a commit to fix that. |
|
I guess the only way to make CI pass on debian, is to rebase on master, I have merged your PR for the t64 madness |
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
from
dc8d994
to
e7b7b13
Compare
The encoder is only implemented for private keys. In the decoder, the support for public keys comes for free. Explicitly filtering for private keys seems like an arbitrary restriction. Unfortunately, the |
|
are you thinking of a certificate stored in the token, and a uri only be present in the PEM file ? So basically this means you can use PEM files for any object in the token ? |
|
Well, ideally the application would accept a pkcs11-uri for both key and certificate in the configuration. In the end, the goal is to only have to touch the token when doing a key/cert renewal. When an application only uses references to these objects the token can be used to distribute the new key/cert pairs. |
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
from
e7b7b13
to
4544cd5
Compare
|
Note, the code currently only handles OSSL_STORE_INFO_PKEY in expect, so it will have to be adjusted, but we can do as a followup to this PR, I think we should merge this one once good enough, to avoid dragging it forever |
Register an encoder for writing the PrivateKeyInfo as PEM. The encoder
writes the pcsk11-uri to the PEM file. The file has the following structure:
SEQUENCE {
ASN1_VISIBLESTRING desc; // set to "PKCS#11 Provider URI v1.0"
ASN1_UTF8STRING uri; // pkcs11-uri as produced by p11prov_key_to_uri()
}
The feature has to be enabled explicitly by setting
pkcs11-module-encode-provider-uri-to-pem.
Signed-off-by: Florian Wernli <florian.wernli@securosys.ch>
Add the encoder and decoder methods for the ED25519 and Ed448 curves. Signed-off-by: Florian Wernli <florian.wernli@securosys.ch>
0pq76r
force-pushed
the
feature/key-reference-in-pem
branch
from
4544cd5
to
da22bc2
Compare
|
Sounds like Fedora address sanitizer is really mad, I kicked a rerun but see it it was not a fluke, unfortunately the logs are not very enlightening of where the problem lies ... |
|
How do I export a key for this? I've been trying something like this with my Yubikey:
But get: |
|
OK, I kind of got it working, but am still having trouble signing with the previous error, and get a segfault at the end... |
|
This does not export or wrap a key. You should find that it just contains the URI to the key. About the segfault... |
|
The no-deinit quirk was the solution, thanks. To be clear: for some reason, it appears to be having trouble exporting the public key during sign(!) operations, even when I'm not using the pem exported key reference, which is strange: Additionally, this occurs on the 0.3 branch, leaving me to believe it isn't related to this changeset. So I'll keep further commentary off this ticket. |
|
Got it working. Problem was I was doing shenanigans with a PKCS#11 engine, too. Confirmed (mostly) working: Then, in Ruby, which only supports loading PEM files: Oops, a ruby bug :-) |
|
Thanks for this contribution, looking forward to use it. |
|
This is awesome, well done. |
|
Node: |
This is an attempt to implement the feature "Support key in PEM file" #222.
The PEM file consists out of two fields an ASN1_OBJECT called "type" containing an oId to identify the object and an ASN1_UTF8STRING called "uri". The URI is parsed and created using the existing
p11prov_parse_uriandp11prov_key_to_urifunctions.There are still some points left to improve: