Improved detection of engine-provided private "classic" keys

[beldmit]

Resolves #17092 (?)

Checklist

• documentation is added or updated
• tests are added or updated

[beldmit]

I wonder whether we have any other cases when we missed that the loaded key is legacy...

[petrovr]

Please exclude #17286. It is not engine related! It is more generic.

For instance code in https://gitlab.com/secsh/pkixssh/-/commits/master/ssh-pkcs11.c has following commits authored 7-8 mounts ago:

• set pkcs#11 ec-key method immediately on plain key
• set pkcs#11 rsa-key method immediately on plain key
• set pkcs#11 key method immediately on X.509 certificate
• use existence of function EVP_KEYMGMT_get0_provider to throw out "key manager" in OpenSSL 3+

If I remember well OpenSMTPD issue fail into general issue.

[beldmit]

@petrovr sure. Let's deal with the engine case first.

[petrovr]

After review of code I'm not convinced that pull fixes #17092 - see #17092 (comment) . When I have spare time I will check it. May be after two weeks.

In #17092 test scenario is: engine loaded and initialied first followed by call of d2i_PUBKEY where DER material is from random source. Result is internal structure with key manager and engine method.

I guess that test case could be like this:

• configuration that set engine with rsa by path (or by id + init command)
• load for rsa public key from file

I have no time to test such case, sorry.

[tmshort]

None of the EVP_PKEY_set1_XXX() functions have their returns checked. Should ENGINE_load_private_key() always succeed regardless of the return values?

[petrovr]

Once again, please exclude #17286.

[petrovr]

This pull does not change anything.

With

fprintf(stderr, "TRACE[OpenSSL].%s()  [[ //before load_privkey\n", __func__);
    pkey = e->load_privkey(e, key_id, ui_method, callback_data);
fprintf(stderr, "TRACE[OpenSSL].%s()  ]] //after load_privkey\n", __func__);

Result is:

TRACE.ENGINE_load_private_key()  [[ //before load_privkey
INFO[e_nss] Loading private key - 'E_NSS Certificate (client-rsa) - E_NSS Test Team cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω'.
TRACE[e_nss] nss_init_database(): NSS_Init('nssdb') ...
TRACE[e_nss] nss_init_database(): FIPS mode: 0, PK11_IsFIPS()=0
DEBUG[e_nss] Signer's certificate found.
TRACE[e_nss] nss_load_key(): wincx=0x7ffc33fd0830
TRACE_E_NSS:nss_pass_func()  args: slot=0x18b62a0, retry=0, arg=0x7ffc33fd0830
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetSlotName()='NSS User Private Key and Certificate Services'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetTokenName()='NSS Certificate DB'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetMinimumPwdLength()=0
TRACE_E_NSS:nss_pass_func_ui_method()  NSS_UI ui_method=0x1823d20, ui_data=0x7ffc33fd0950
TRACE_E_NSS:nss_pass_func_ui_method()  prompt='Enter pass phrase for NSS Certificate DB:'
TRACE_E_NSS:nss_pass_func_ui_method()  buf1='testing'
TRACE_E_NSS:nss_pass_func_ui_method()  UI result[0]='testing'
TRACE[e_nss] nss_load_key(): pvtkey=0x18c0520
TRACE[e_nss] nss_load_key(): pubkey=0x18bf0c0
TRACE[e_nss] nss_load_key(): q=0x18c1510
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x18d2210
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE[e_nss] nss_load_key(): pkey=0x18d1dc0
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x18d1390
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE_E_NSS:nss_init_keyctx_rsa()  RSA by default!
TRACE_E_NSS:nss_init_keyctx_rsa()  new RSA ...
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x18c0ea0
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x18d2210
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x18d1390
TRACE[e_nss] nss_load_key(): keyctx=0x18c0ea0
TRACE[e_nss] nss_load_key(): keyctx->pvtkey=0x18c0520
TRACE[e_nss] nss_load_key(): keyctx->pubkey=0x18bf0c0
TRACE[e_nss] nss_load_key(): ^ pkey=0x18d1dc0
TRACE.ENGINE_load_private_key()  ]] //after load_privkey

---

Remark : work-around in e_nss code now is modified to log if engine method is assigned to rds/dsa keys.
This is visible from log "....RSA by default!".

At this point engine method and provider key manager are assigned to pkey structure.

[beldmit]

Once again, please exclude #17286.

Done

[beldmit]

Without patch:

$ CONFIG_DIR=`pwd`/tests/nssdb OPENSSL_ENGINES=`pwd`/engines/.libs/ OPENSSL_CONF=/home/dbelyavs/upstream/e_nss-4.2/tests/openssl.cnf LD_LIBRARY_PATH=../openssl ../openssl/apps/openssl dgst -sha256 -sign "E_NSS Certificate (client-rsa) - E_NSS Test Team cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω" -keyform ENGINE -engine e_nss -passin file:tests/nsspassfile /home/dbelyavs/upstream/e_nss-4.2/tests/openssl.cnf > sign
TRACE_E_NSS:bind_helper()  args: e=0x1dab6e0, id=<none>
TRACE_E_NSS:bind_nss()  args: e=0x1dab6e0
TRACE_E_NSS:bind_nss_rsa_method()  nss_rsa_ctx_index=1
TRACE_E_NSS:bind_nss_rsa_method()  rsa_method=0x7ff521db63c0[OpenSSL PKCS#1 RSA]
TRACE_E_NSS:bind_nss_dsa_method()  nss_dsa_ctx_index=1
TRACE_E_NSS:bind_nss_dsa_method()  dsa_method=0x7ff521db4f40[OpenSSL DSA method]
TRACE_E_NSS:bind_nss_ec_method()  ec_method=0x1db0190
TRACE_E_NSS:bind_nss_ec_method()  nss_ec_ctx_index=1
TRACE_E_NSS:nss_ctrl()  cmd=211/DEBUG: i=3, p=(nil), f=(nil)
TRACE_E_NSS:nss_ctrl()  cmd=210/CONFIG_DIR: i=0, p=0x1dac7c0, f=(nil)
TRACE_E_NSS:nss_init()  args: e=0x1dab6e0
TRACE_E_NSS:nss_init_eng_ctx()  e=0x1dab6e0, nss_eng_ctx_index=-1
TRACE_E_NSS:nss_init_eng_ctx()  nss_eng_ctx_index=2
TRACE_E_NSS:nss_init_eng_ctx()  ctx=0x1db0670
TRACE_E_NSS:nss_init()  ^ ok
TRACE_E_NSS:nss_digests()  requested nid list
TRACE_E_NSS:nss_pkey_meths()  requested nid list
Engine "e_nss" set.
INFO[e_nss] Loading private key - 'E_NSS Certificate (client-rsa) - E_NSS Test Team cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω'.
TRACE[e_nss] nss_init_database(): NSS_Init('/home/dbelyavs/upstream/e_nss-4.2/tests/nssdb') ...
TRACE[e_nss] nss_init_database(): FIPS mode: 0, PK11_IsFIPS()=0
DEBUG[e_nss] Signer's certificate found.
TRACE[e_nss] nss_load_key(): wincx=0x7ffe4ab078e0
TRACE_E_NSS:nss_pass_func()  args: slot=0x1e09e40, retry=0, arg=0x7ffe4ab078e0
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetSlotName()='NSS User Private Key and Certificate Services'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetTokenName()='NSS Certificate DB'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetMinimumPwdLength()=0
TRACE_E_NSS:nss_pass_func_ui_method()  NSS_UI ui_method=0x1dac620, ui_data=0x7ffe4ab07ab0
TRACE_E_NSS:nss_pass_func_ui_method()  prompt='Enter pass phrase for NSS Certificate DB:'
TRACE_E_NSS:nss_pass_func_ui_method()  buf1='testing'
TRACE_E_NSS:nss_pass_func_ui_method()  UI result[0]='testing'
TRACE[e_nss] nss_load_key(): pvtkey=0x1e53cc0
TRACE[e_nss] nss_load_key(): pubkey=0x1e55100
TRACE[e_nss] nss_load_key(): q=0x1e55a70
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x1e67070
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE[e_nss] nss_load_key(): pkey=0x1e580e0
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x1e66b60
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE_E_NSS:nss_init_keyctx_rsa()  RSA by default!
TRACE[e_nss] nss_load_key(): keyctx=0x1e66b60
TRACE[e_nss] nss_load_key(): keyctx->pvtkey=0x1e53cc0
TRACE[e_nss] nss_load_key(): keyctx->pubkey=0x1e55100
TRACE[e_nss] nss_load_key(): ^ pkey=0x1e580e0
TRACE[e_nss] nss_rsa_sign(): args: dtype=672, m=0x7ffe4ab07a20, m_length=32
TRACE[e_nss] nss_rsa_sign(): rsa=0x1e66f40, meth=0x1db0000, name=NSS PKCS#1 RSA method
TRACE[e_nss] nss_rsa_sign(): keyctx=0x1e67070
TRACE[e_nss] nss_rsa_sign(): keyctx->pvtkey=0x0
TRACE[e_nss] nss_rsa_sign(): ret=0
Error signing data
4057EC21F57F0000:error:4000007B:E_NSS:nss_rsa_sign:Missing private key:e_nss_rsa.c:482:
4057EC21F57F0000:error:1C880004:Provider routines:rsa_sign:RSA lib:providers/implementations/signature/rsa_sig.c:599:
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x1e66b60
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x1e67070
TRACE_E_NSS:nss_finish()  ...
TRACE_E_NSS:nss_finish()  NSS_Shutdown() ...
TRACE_E_NSS:nss_pkey_meths()  requested nid list
TRACE_E_NSS:nss_destroy()  ...
TRACE_E_NSS:destroy_nss_store()  e=0x1dab6e0, nss_scheme='nss'
TRACE_E_NSS:destroy_nss_store()  loader=0x1dafed0

[dbelyavs@localhost e_nss-4.2]$ ls -l sign
-rw-r--r--. 1 dbelyavs dbelyavs 0 Jan 14 19:48 sign

After the patch:

$ CONFIG_DIR=`pwd`/tests/nssdb OPENSSL_ENGINES=`pwd`/engines/.libs/ OPENSSL_CONF=/home/dbelyavs/upstream/e_nss-4.2/tests/openssl.cnf LD_LIBRARY_PATH=../openssl ../openssl/apps/openssl dgst -sha256 -sign "E_NSS Certificate (client-rsa) - E_NSS Test Team cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω" -keyform ENGINE -engine e_nss -passin file:tests/nsspassfile /home/dbelyavs/upstream/e_nss-4.2/tests/openssl.cnf > sign
TRACE_E_NSS:bind_helper()  args: e=0x8d76e0, id=<none>
TRACE_E_NSS:bind_nss()  args: e=0x8d76e0
TRACE_E_NSS:bind_nss_rsa_method()  nss_rsa_ctx_index=1
TRACE_E_NSS:bind_nss_rsa_method()  rsa_method=0x7f9124fb63c0[OpenSSL PKCS#1 RSA]
TRACE_E_NSS:bind_nss_dsa_method()  nss_dsa_ctx_index=1
TRACE_E_NSS:bind_nss_dsa_method()  dsa_method=0x7f9124fb4f40[OpenSSL DSA method]
TRACE_E_NSS:bind_nss_ec_method()  ec_method=0x8dc190
TRACE_E_NSS:bind_nss_ec_method()  nss_ec_ctx_index=1
TRACE_E_NSS:nss_ctrl()  cmd=211/DEBUG: i=3, p=(nil), f=(nil)
TRACE_E_NSS:nss_ctrl()  cmd=210/CONFIG_DIR: i=0, p=0x8d87c0, f=(nil)
TRACE_E_NSS:nss_init()  args: e=0x8d76e0
TRACE_E_NSS:nss_init_eng_ctx()  e=0x8d76e0, nss_eng_ctx_index=-1
TRACE_E_NSS:nss_init_eng_ctx()  nss_eng_ctx_index=2
TRACE_E_NSS:nss_init_eng_ctx()  ctx=0x8dc670
TRACE_E_NSS:nss_init()  ^ ok
TRACE_E_NSS:nss_digests()  requested nid list
TRACE_E_NSS:nss_pkey_meths()  requested nid list
Engine "e_nss" set.
INFO[e_nss] Loading private key - 'E_NSS Certificate (client-rsa) - E_NSS Test Team cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω'.
TRACE[e_nss] nss_init_database(): NSS_Init('/home/dbelyavs/upstream/e_nss-4.2/tests/nssdb') ...
TRACE[e_nss] nss_init_database(): FIPS mode: 0, PK11_IsFIPS()=0
DEBUG[e_nss] Signer's certificate found.
TRACE[e_nss] nss_load_key(): wincx=0x7ffdfef37570
TRACE_E_NSS:nss_pass_func()  args: slot=0x935e40, retry=0, arg=0x7ffdfef37570
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetSlotName()='NSS User Private Key and Certificate Services'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetTokenName()='NSS Certificate DB'
TRACE_E_NSS:nss_pass_func_ui_method()  PK11_GetMinimumPwdLength()=0
TRACE_E_NSS:nss_pass_func_ui_method()  NSS_UI ui_method=0x8d8620, ui_data=0x7ffdfef37760
TRACE_E_NSS:nss_pass_func_ui_method()  prompt='Enter pass phrase for NSS Certificate DB:'
TRACE_E_NSS:nss_pass_func_ui_method()  buf1='testing'
TRACE_E_NSS:nss_pass_func_ui_method()  UI result[0]='testing'
TRACE[e_nss] nss_load_key(): pvtkey=0x97fcc0
TRACE[e_nss] nss_load_key(): pubkey=0x981100
TRACE[e_nss] nss_load_key(): q=0x981a70
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x993070
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE[e_nss] nss_load_key(): pkey=0x9840e0
TRACE_E_NSS:nss_rsa_init()  ...
TRACE_E_NSS:nss_rsa_init()  idx: 1, ptr: 0x992b60
TRACE_E_NSS:nss_rsa_init()  ^ ok
TRACE_E_NSS:nss_init_keyctx_rsa()  RSA by default!
TRACE[e_nss] nss_load_key(): keyctx=0x992b60
TRACE[e_nss] nss_load_key(): keyctx->pvtkey=0x97fcc0
TRACE[e_nss] nss_load_key(): keyctx->pubkey=0x981100
TRACE[e_nss] nss_load_key(): ^ pkey=0x9840e0
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x993070
TRACE[e_nss] nss_rsa_sign(): args: dtype=672, m=0x7ffdfef37750, m_length=32
TRACE[e_nss] nss_rsa_sign(): rsa=0x993250, meth=0x8dc000, name=NSS PKCS#1 RSA method
TRACE[e_nss] nss_rsa_sign(): keyctx=0x992b60
TRACE[e_nss] nss_rsa_sign(): keyctx->pvtkey=0x97fcc0
TRACE[e_nss] nss_rsa_sign(): keyctx->pvtkey->keyType=1
TRACE[e_nss] nss_rsa_sign(): sigret=0x8de330
TRACE[e_nss] nss_rsa_sign(): rv=0
TRACE[e_nss] nss_rsa_sign(): sigret=0x8de330 len=256
TRACE[e_nss] nss_rsa_sign(): ret=1
TRACE_E_NSS:NSS_KEYCTX_free_rsa()  idx: 1, ptr: 0x992b60
TRACE_E_NSS:nss_finish()  ...
TRACE_E_NSS:nss_finish()  NSS_Shutdown() ...
TRACE_E_NSS:nss_pkey_meths()  requested nid list
TRACE_E_NSS:nss_destroy()  ...
TRACE_E_NSS:destroy_nss_store()  e=0x8d76e0, nss_scheme='nss'
TRACE_E_NSS:destroy_nss_store()  loader=0x8dbed0

[dbelyavs@localhost e_nss-4.2]$ ls -l sign
-rw-r--r--. 1 dbelyavs dbelyavs 256 Jan 14 19:57 sign

As you can see, the results are completely different.
I use e_nss-4.2 for tests with commented out engine-level workaround/assignment.

I kindly ask you to check again, because the error present in master is eliminated after my patch

[petrovr]

(1) Correction "post factum".
So when engine return from load method using a hack provider could be eliminated.
Question is are we sure that provider must be eliminated?

(2) Correction "a priori".
So this is always existing functionality of OpenSSL utilities when key is in "engine" format. Also engine key methods are registered as default before implementation of ENGINE_FLAGS_NO_REGISTER_ALL (1.0.0?) and if is used by engine.
Remark: OpenSSL utility prints Engine "foo" set. This indicates that engine key methods are registered as default.

Let review RSA key constructors. This one with explicit engine parameter is out of interest.
So remain rsa_new_intern() cases where engine parameter is NULL. In this case is assigned ENGINE_get_default_RSA().
After assignment is called "init" method. This is visible in the log - TRACE_E_NSS:nss_rsa_init().
Construction of DSA and EC keys follows the same logic.

So the another solution is to stop to set engine key methods as default.

(3) Real correction.
After creation of "legacy key" follows creation of PKEY. As this key methods is not OpenSSL one key is marked as foreign.
If I am not wrong next step from deserialisation process, i.e. decoder, is to import key. But the key is foreign! It seems to me import process ignores this fact and assigns a key manager. Expected is from "default" provider.
So at this phase PKEY structure is wrongly initialised. I'm not sure if the foreign flag is still set.
It is visible that PKEY mix non-OpenSSL key method with provider key manager.

---

Let assume properly created "foreign" pkey.
My conclusion that current implementation of import process will accept such pkey. Expected is import to ignore such key without to trigger error.

---

When engine load key is called code may return pkey with key manager provided by engine. Why not?
This model ensures compatibility with previous use cases.

[beldmit]

(1) Correction "post factum".
So when engine return from load method using a hack provider could be eliminated.
Question is are we sure that provider must be eliminated?

My approach seems to fix the issue when we lose the foreigness of the key. I think we don't lose anything (but avoid the current hack to preserve the foreigness in applications)

[beldmit]

(2) Correction "a priori". So this is always existing functionality of OpenSSL utilities when key is in "engine" format. Also engine key methods are registered as default before implementation of ENGINE_FLAGS_NO_REGISTER_ALL (1.0.0?) and if is used by engine. Remark: OpenSSL utility prints Engine "foo" set. This indicates that engine key methods are registered as default.

Let review RSA key constructors. This one with explicit engine parameter is out of interest. So remain rsa_new_intern() cases where engine parameter is NULL. In this case is assigned ENGINE_get_default_RSA(). After assignment is called "init" method. This is visible in the log - TRACE_E_NSS:nss_rsa_init(). Construction of DSA and EC keys follows the same logic.

So the another solution is to stop to set engine key methods as default.

Do I correctly understand that, when this approach is taken, you lose some external data that is crucial for dealing with engine-provided keys? If this data is not crucial, we are able to operate them using provider API.

[beldmit]

(3) Real correction. After creation of "legacy key" follows creation of PKEY. As this key methods is not OpenSSL one key is marked as foreign. If I am not wrong next step from deserialisation process, i.e. decoder, is to import key. But the key is foreign! It seems to me import process ignores this fact and assigns a key manager. Expected is from "default" provider. So at this phase PKEY structure is wrongly initialised. I'm not sure if the foreign flag is still set. It is visible that PKEY mix non-OpenSSL key method with provider key manager.

My fix is intended to fix the foreign flag. And I see it does it :)

[beldmit]

Let assume properly created "foreign" pkey. My conclusion that current implementation of import process will accept such pkey. Expected is import to ignore such key without to trigger error.

Properly created "foreign" key, AFAICS, may or may not have the data necessary for default provider - but should be still loaded and usable (which is not correct without my patch) or fail to load.

[beldmit]

When engine load key is called code may return pkey with key manager provided by engine. Why not?
This model ensures compatibility with previous use cases.

Sorry, I don't get your point

[beldmit]

Dear @petrovr
From my point of view, this PR fixes some problems currently present in case when engine-backed keys are in use. If you confirm that at least one use case is fixed, it will be possible to merge this PR and make a step forward to a next corner case.

[petrovr]

When engine load key is called code may return pkey with key manager provided by engine. Why not?
This model ensures compatibility with previous use cases.

Sorry, I don't get your point

E_NSS engine provides 'classical' and 'store-based' load of keys. Both models call one and the same function() to constuct PKEY. I cannot see any reason to change this model.
One day, when I found OpenSSL 3 stable enoungh I will change function(*) to construct PKEY using Provider API.

[beldmit]

Thanks, got it!

Which one is tested by the command line from here #19965 (comment) and is there a way to test the 2nd one via openssl command line or there is a special code to use?

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 92 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 123 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 154 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 185 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 216 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/committers but the last update was 247 days ago

[beldmit]

Ping @openssl/committers for the 2nd review

[paulidale]

Approved with the formatting nits addressed.

[paulidale]

Blank lines between declarations and code are missing.

[openssl-machine]

This pull request is ready to merge

[paulidale]

Merged, thanks.

[kcking]

This change appears to have changed the pkcs11 mechanism used for RSA keys in the pkcs11_engine from libp11. openssl is now requesting RSA_NO_PADDING, which is converted to CKM_RSA_X_509 on the engine side. In particular, I have observed this using wpa_supplicant 802.1x authentication, which is using openssl/libp11 engine.

This is undesirable as keys are not always accessible to be used without padding. Is this WAI, and I should look to libp11 for a fix to not indicate a "classic" key?