On Thu, 2016-12-01 at 00:22 +0100, Richard Levitte wrote: > This patch doesn't fit the rest...
I'm not quite sure I follow why. To allow engines to load PEM encoded engine keys in place of machine processed ones, the hook into the loader has to be in somewhere. This seems to be the most generic place to put the hook. > Generally speaking, I am unsure about your solution. It seems like > hack to fit a specific case where something more general could be of > greater service to others as well. Well, the more adaptable patch set was the previous one that overloaded the meaning of key_id. This one has a specific bio mechanism for loading PEM files, so it only really works for engines that have PEM representable unloaded keys (which, to be fair, is almost all of them, since even the USB crypto keys have a wrapped format). I've tried to make it as generic as possible, but I am conditioned to think to my use case: TPM keys. If you give an example of another use case, it will help me see where it should be more generic. James > Cheers > Richard > > On November 30, 2016 4:27:49 PM GMT+01:00, James Bottomley < > james.bottom...@hansenpartnership.com> wrote: > > Before trying to process the PEM file, hand it to each of the > > loaded > > engines to see if they recognise the PEM guards. This uses the new > > bio based load key callback, so the engine must be loaded and > > implement this callback to be considered. > > > > Signed-off-by: James Bottomley <j...@linux.vnet.ibm.com> > > --- > > crypto/pem/pem_pkey.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c > > index 04d6319..e3737f0 100644 > > --- a/crypto/pem/pem_pkey.c > > +++ b/crypto/pem/pem_pkey.c > > @@ -85,6 +85,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, > > EVP_PKEY > > **x, pem_password_cb *cb, > > int slen; > > EVP_PKEY *ret = NULL; > > > > + /* first check to see if an engine can load the PEM */ > > + if (ENGINE_find_engine_load_key(NULL, &ret, (const char *)bp, > > cb, > > u) == 1) > > + return ret; > > + > > if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, > > cb, > > u)) > > return NULL; > > p = data; > > -- > levi...@openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
