New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable CMS sign/verify for provider-implemented PKEYs #17733
Conversation
Is it possible to integrate your provider tests as part of external tests as it is currently done with GOST engine? |
crypto/cms/cms_sd.c
Outdated
/* Digest presence check really necessary? */ | ||
if (alg1 == NULL || alg1->algorithm == NULL) | ||
return -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps there can be algorithms that integrate the digest, i.e. there is no separate digest algorithm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes -- that exactly is the case for OQS algorithms (see issue 1 in #17717). However, the whole OpenSSL CMS logic completely depends on a digest being present. When reading into the CMS RFC the standard seems to mandate this, so the comment above is gone in 72d6281 as this check makes sense for code implementing the CMS standard (which might need amendment for quantum-safe crypto but we can't solve this here...). This also means that this PR completely fixes #17717 as issue 1 there is explained by this.
crypto/cms/cms_sd.c
Outdated
return -1; | ||
|
||
/* Generic PKEY->name->NID->OID mapping check */ | ||
const char* typename = EVP_PKEY_get0_type_name(pkey); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The declaration has to be at the beginning of the block. Also space should be before *
not after.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx. Fixed in 72d6281.
Is it possible to use your provider for external tests (similar to gost-engine)? |
That sounds like a good idea and I don't see a reason why not -- it's a shared lib after all. Is there documentation how this is done for the gost-engine / what needs to be done to set this up? |
crypto/cms/cms_sd.c
Outdated
/* Generic PKEY->name->NID->OID mapping check */ | ||
if (typename == NULL) | ||
return -1; | ||
return X509_ALGOR_set0(alg2, OBJ_nid2obj(OBJ_sn2nid(typename)), V_ASN1_UNDEF, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest replacing OBJ_nid2obj(OBJ_sn2nid(typename))
with OBJ_txt2obj(typename, 0)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in e2f1215.
@baentsch please take a look at |
Thanks for that pointer. Cool: the limitations there are the same as for oqsprovider (no Windows/VMS). Will use as blueprint (aiming to mirror https://github.com/openssl/openssl/blob/master/test/README-external.md#gost-engine-test-suite) and bring as separate PR: OK for you, @beldmit? |
Sure. As there currently are no external providers with brand new algorithm, any additional test will be useful and can help stabilising the functionality |
Looks good now. Should there be some kind of test for this? |
At least given the code is now also used for DSA and ECDSA, it will be tested if we have tests for CMS using DSA and/or ECDSA. And we seem to have some in the test_cms recipe. |
But the point of the change is to allow other algorithms (especially ones without an associated hash alg) to work. Should there be a test for this scenario? |
Done. |
24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually. |
bot is confused. Added the label. |
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17733)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17733)
It seems this has been merged so closing. Thanks for the contribution. |
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit d15d561)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit 0654421)
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit d15d561)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit 0654421)
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit d15d561)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733) (cherry picked from commit 0654421)
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17733) (cherry picked from commit d15d561)
We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17733)
Fixes
(part of)#17717Note: More work might be required for further CMS functionality. This PR covers issue 2 reported in #17717 and all that is being used and tested in the OQS project: Generating CMS signed data and verification of that with non-classic/provider-implemented algorithms back-and-forth between an (OQS-enabled)OpenSSL 1.1.1 fork and the OpenSSL3 oqs-provider.
A more complete OpenSSL-only CMS issue, possibly calling for a complete external provider test suite, might be called for to cover all CMS functionality.