Document EVP_PKEY_ASN1_METHOD and associated functions #4596
Conversation
levitte
force-pushed
the
EVP_PKEY_ASN1_METHOD_docs
branch
from
3dad8bc
to
823b6aa
Compare
|
@mattcaswell, you might be interested of this... |
levitte
changed the title
|
Ok, this is now done as far as I can see. Time for a review. |
|
So supposed I want to implement a better RSAPSS algorithm, |
|
Well, an override is made by the application, or an engine if you load one (possibly through a config file), dynamically. Ultimately, that's controlled by the order in which the application does things, doesn't it? |
doc/man3/EVP_PKEY_asn1_get_count.pod
Outdated
| EVP_PKEY_asn1_find_str() looks up the B<EVP_PKEY_ASN1_METHOD> with PEM | ||
| type string B<str>. | ||
| Just like EVP_PKEY_asn1_find(), it searches through the methods added | ||
| by the application first, and then through the standard methods. |
There was a problem hiding this comment.
There was a problem hiding this comment.
to me this looks like the standard methods win:
for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
ameth = EVP_PKEY_asn1_get0(i);
if (ameth->pkey_flags & ASN1_PKEY_ALIAS)
continue;
if (((int)strlen(ameth->pem_str) == len)
&& (strncasecmp(ameth->pem_str, str, len) == 0))
There was a problem hiding this comment.
FYI: The comment refers to EVP_PKEY_asn1_find_str
There was a problem hiding this comment.
Ah, you are quite correct! That's... not very consistent. I guess the idea was that everyone would play nice with each other and not try to compete over the same algorithms, but rather that application would handle their own different algo.
When I look at EVP_PKEY_asn1_add0 and the way it sorts the stack every time a new method is added, it seems clear to me that the original line of thought is one of no competition, and to make sure that is always true, EVP_PKEY_asn1_add0 should refuse to add a method for an algo that already has one. In that case, the exact order in which these methods are found don't matter at all.
There was a problem hiding this comment.
Yes, that would be a significant improvement.
There was a problem hiding this comment.
Should the check in the add method also look for duplicate strings?
doc/man3/EVP_PKEY_asn1_get_count.pod
Outdated
| EVP_PKEY_asn1_find() looks up the B<EVP_PKEY_ASN1_METHOD> with NID | ||
| B<type>. | ||
| It searches through the methods added by the application first, and | ||
| then through the standard methods. |
There was a problem hiding this comment.
and what happens if pe != NULL ?
There was a problem hiding this comment.
that looks like the engine always wins ?
There was a problem hiding this comment.
in EVP_PKEY_asn1_find the first loop changes "type" if ASN1_PKEY_ALIAS
is in app_methods, and then if pe != NULL
ENGINE_get_pkey_asn1_meth_engine can look up something,
otherwise "t" from the frst loop is returned.
Weird...
There was a problem hiding this comment.
If I understand you correct, then it should not matter where we search first.
In that case this sentence can be removed.
However I wonder why the engine search uses the aliases at all, maybe the
whole "if (pe)" block should move up?
There was a problem hiding this comment.
previous comment refers to EVP_PKEY_asn1_find
There was a problem hiding this comment.
The loop at the start is there to follow aliases down to the root identity, which means that the methods provided by engines can't be aliases. An engine can of course still provide an alias by adding them directly with EVP_PKEY_asn1_add_alias, but that will end up in the app_methods stack anyway... So the loop to resolve aliases should come first, as it does.
There was a problem hiding this comment.
Maybe the documentation should reflect that ?
There was a problem hiding this comment.
Dunno how it would here. EVP_PKEY_asn1_add_alias is the only way to add an alias, and it's not ENGINE specific, so...
The ENGINE API documentation needs to be refreshed for sure, though. That's for a different PR...
There was a problem hiding this comment.
More or less make one sentence out of your previous two comments.
I believe the rationale is not obvious.
|
I would have liked to have a way to store the app_methods in a context structure, |
|
In what context? |
|
Maybe it is a silly idea or just infeasible... But I mean as an extra parameter maybe similar to an EVP object, which |
|
I think it's an infeasible idea in this case, sorry... |
|
@bernd-edlinger, I hope the new commits I just pushed answer your concerns. |
doc/man3/EVP_PKEY_asn1_get_count.pod
Outdated
| EVP_PKEY_asn1_get0() return a public key method or B<NULL> if B<idx> is | ||
| out of range. | ||
|
|
||
| EVP_PKEY_asn1_get0_info() returns 0 on failure, 1 on success. |
There was a problem hiding this comment.
maybe it should be noted that these APIs are not thread-safe?
doc/man3/EVP_PKEY_ASN1_METHOD.pod
Outdated
| B<EVP_PKEY_ASN1_METHOD> object otherwise. | ||
|
|
||
| EVP_PKEY_asn1_add0() and EVP_PKEY_asn1_add_alias() return 0 on error, | ||
| or 1 on success. |
There was a problem hiding this comment.
Also these APIs are not thread-safe, either make the thread-safe or document that?
doc/man3/EVP_PKEY_ASN1_METHOD.pod
Outdated
| The pub_cmp() method is called when two public keys are to be | ||
| compared. | ||
| It MUST return 1 when the keys are equal, 0 otherwise. | ||
| it's called by L<EVP_PKEY_cmp(3)>. |
There was a problem hiding this comment.
new sentence, start with upper case.
doc/man3/EVP_PKEY_ASN1_METHOD.pod
Outdated
| The pub_print() method is called to print a public key in humanly | ||
| readable text to B<out>, indented B<indent> spaces. | ||
| It MUST return 0 on error, 1 on success. | ||
| it's called by L<EVP_PKEY_print_public(3)>. |
doc/man3/EVP_PKEY_ASN1_METHOD.pod
Outdated
| The priv_decode() and priv_encode() methods are called to decode / | ||
| encode B<PKCS8_PRIV_KEY_INFO> form private key to / from B<pk>. | ||
| They MUST return 0 on error, 1 on success. | ||
| they're called by L<EVP_PKCS82PKEY(3)> and L<EVP_PKEY2PKCS8(3)>. |
|
Because the thread safety question isn't quite resolved yet and I don't want this PR to wait endlessly, I just added a commit with thread safety information. Looks good? |
|
Hmmm, most of this should also be backported to 1.1.0. I'll prepare a separate PR for it, considering master has added functionality... |
|
Is the red cross from travis a doc-nits ? |
[skip ci] Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #4596)
No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #4596)
levitte
force-pushed
the
EVP_PKEY_ASN1_METHOD_docs
branch
2 times, most recently
from
29ea155
to
d8586bb
Compare
|
Good catch! Added commit should resolved the matter |
levitte
force-pushed
the
EVP_PKEY_ASN1_METHOD_docs
branch
from
d8586bb
to
775866a
Compare
|
Sorry, for not checking earlier. |
|
It's alright, but I need you to approve the added commit |
[skip ci] Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl#4596)
No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl#4596)
|
Merged the last commit as well. 79204b9 |
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #4596)
No description provided.