-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the STORE module take 2, for loaded certs, keys and more given a URI #2011
Conversation
f5c45e3
to
8b152d2
Compare
This seems very much based on the concept that you can open a 'STORE', read it sequentially, and close it again. As such, it doesn't seem to apply to storage like PKCS#11. Is that something we care about? |
For the I haven't looked too much into the |
6855420
to
9dc856e
Compare
I cleaned this up quite a bit, squashed what made sense to squash, and rebased on top of fresh master |
25792ef
to
014c903
Compare
1b93a69
to
77e34b0
Compare
I just did a huge rework of this PR. Major new: public file scheme handlers are gone. There are a few left for the different kinds of data, but no more separate handler for each key type. This is instead handled through already existing OpenSSL functionality (most notably, EVP_PKEY_ASN1_METHODs). |
|
In this context, that isn't a valid observation. The STORE API needs its documentation to stand alone and describe how to use it. Its use of other functions internally is purely an implementation detail.
What I'm saying is that a failure to clearly define the encoding is AS BAD AS not knowing if it's NUL-terminated chars or something else. For the new STORE API, please at least document precisely what is expected to be passed in. And if you can't clearly specify it, with http://david.woodhou.se/draft-woodhouse-cert-best-practice.html in mind, then it's not really appropriate to pass the buck and say "but the We have an opportunity here to introduce a new API which applications can use to Do The Right Thing, without the hundreds of lines of code that I mentioned. Please please please let's not infest it with legacy behaviour and portability issues right from the start. |
@dwmw2, could we at least investigate our current PBEs and what needs to be done with them? Also, it sounds like you're asking me to reimplement our PBEs as part of this PR, and perhaps even make them part of the As for "The STORE API needs its documentation to stand alone and describe how to use it"... The STORE API uses |
Upon more carefull thought, the issue is even less part of the STORE API than I expressed. With regards to passphrases / passwords, the STORE API itself does nothing, by design. All it does is pass around a So it would seem to me that your issue with passwords here belongs with the Maybe this separation of stuff makes things clearer for you? |
You don't need to duplicate the But if the And you have potentially made it worse, if we end up in a situation where one back end expects one thing (the locale charset) while others expect another (a PKCS#11 store probably really does require UTF-8 since that's specifiied by PKCS#11). So users of your new API now have to make guesses based on internal details and pass something different according to their guess. The reason I'm pushing for this now, as a precursor to this landing, is because if we merge it with that kind of ambiguity then we end up with the API problem for ever. The API should be stable before it lands. |
Ah, I thought I had already added references to the the |
Still not good enough if the UI_METHOD docs don't specify charset handling, and if your overall resulting behaviour isn't correct given what is said about it. |
As for the rest of what you say, @dwmw2, I repeat, let's fix the code where it's actually broken. |
Sure, but typically one tries to fix such brokenness before propagating it and producing new ambiguous APIs. But as long as it gets done before an actual release with the STORE API, I suppose that's fine. We still shouldn't end up in a situation where applications have to jump through hoops to do different things for different back ends or different versions of OpenSSL. |
Based on the team discussion I consider (2) resolved (my objection about requiring different translation units can be fairly easily worked around). (4) is also resolved - OPENSSL_init_crypto() is required to ensure the atexit handlers get invoked properly. |
So, remaining bigger issues:
I'm currently working on 3. 1 is waiting on team decision (I want it to become policy if we decide for |
@dwmw2, regarding the passphrase issue, I'll have to insist on raising a separate issue for it, not in this PR. I'm pondering the whats and what nots right now. Regarding what's done first or after, what about in parallell? |
I think @DWM2 makes a strong point. If the current UI is broken for non-ascii passwords, then adding a new API on top of that also seems broken. |
You know, I figured that yes, some work needs to be done in the file scheme loader with regards to passwords. I suddenly remembered that the encoding issue was dealt with in the Why it should be done this way? Because there are existing keys that have been encrypted with In a similar vein, we cannot assume to know exactly what encoding each loader wants. That will be up to loader specific decisions and implementations. So for example, I would assume that a loader for PKCS#11 would make sure to convert the pass phrase it gets from UI calls to utf8. That should be a matter of what, one library call? Either OPENSSL_asc2utf8 or something similar from a more potent character conversion library. UI, btw, will give you straight (or as straight as possible) what it was fed, with the current local encoding. It delivers NUL-terminated char *, and that's it. |
1. STORE_ vs OSSL_STORE_ prefix (not yet concluded as far as I can see)
I think doing a policy will be very difficult. The consensus seems to be that STORE is a generic name, and we shouldn't claim it. Can we just do with that one change? What's the policy, if not. "Don't use common names, otherwise prefix with OSSL" Our exported symbols have 73 items that start with openssl, and none that start with ossl:
; grep -i '^openssl' *num | wc
73 292 6010
; grep -i ossl *num
exit 1
;
I agree OPENSSL_STORE is big and ugly, but it *is* the convention we already have OPENSSL_LHASH _sk, _thread, etc.
2. app name (store or storeutl)
This is not a hill worth fighting over. Pick whatever name you want.
3. ENDOFDATA vs ferror like interface.
If it can look like BIO or FILE* with feof indicators, awesome. If not, so be it.
|
I prefer "store" (in my mind the utl bit doesn't add anything). But its just a preference so I will accept whatever you decide. BTW, I am now struggling to load this PR in my browser. Github keeps throwing up a page saying it is taking too long to load. |
@richsalz wrote thusly:
X509 is also pretty generic (and we already have one clash). RSA as well. I could go on...
Hmmm, hadn't thought of the
Well, we do have the end-of-file indicator already, but not the error indicator. |
Yup, I have the same issue. As far as I can tell, it's load related (on github's side) |
X509 is also pretty generic (and we already have one clash). RSA as well. I could go on...
And most, if not all, of these come from the SSLeay days. :) Things are different now, and we want to avoid naming conflicts if we can.
|
I would probably try to reframe @dwmw2's position as "you should document exactly what format the input to the new APIs should be in, including charset/encoding/etc." (Unicode normalization form?) Ideally this would be a nice clean and consistent interface that is easy to describe, though the initial implementation might be accompanied by warnings of buggy behavior in some cases that does not match up with the clean API spec. A more "messy" API that has the encoding depend on which backend is in use might be possible to document accurately as well; I didn't look very hard. But consumers of the new functions should be able to have a very specific understanding and expectation for their behavior. If the encoding really is solely up to the UI_METHOD and that's all that STORE is passing around, then maybe we need to add some NIDs for various encodings and a way to query the UI_METHOD what is needed. But to reiterate, I agree with @dwmw that character encoding is a giant minefield, and I think the best way we can help our consumers avoid issues is to clearly document how to correctly use our code; secondarily is to make correct usage simpler and more consistent. |
Please move the pass phrase encoding discussion to #3531. I will refuse to answer these questions further here. |
Thank you for filing that.
... except where they are directly related, I hope. Specifically: • Please explicitly document the expectation implied by #3531, that the |
Can I suggest closing this PR and reopening it with a different PR number? Github just cannot cope with loading this page now - I guess because there have been so many comments. Most times I get an error page :-( |
Closing this PR, please redirect your attention to #3542 |
Checklist
Description of change
This is a redesign of #1962
This STORE module adds the following functionality:
a URI and helps loading the supported objects (PKEYs, CERTs and CRLs
for the moment) from it.
Also includes a loader for the "file" scheme. The goal is to have it load PEM files and raw DER files alike, transparently.
Fixes #1958, #1959