Hi Arne, On Wed, Sep 15, 2021 at 11:03 AM Arne Schwabe <a...@rfc2549.org> wrote:
> Am 15.09.21 um 16:36 schrieb Selva Nair: > > Hi, > > > > > > Plaisthos is preparing patches that drop support for the APIs that > are > > deprecated in OpenSSL 3.0. > > > > Agreed that the OpenSSL 3.0 patches should be master only, so only > 2.6 > > will have full OpenSSL 3.0 support with external key support and > > without > > compiler warnings. > > > > > > Good to see some discussion on OpenSSL 3.0 support. I'm working on > > converting "cryptoapicert" to use a custom built-in provider. In fact, > > the provider framework could be common for all external keys > > (cryptoapicert, management-external-key and pkcs11) with only the key > > loading and signing ops redirected to respective backends. > > Depending on far you have come, you might be ahead of me. I didn't know > that you are already working on that. > I started looking into the new provider interface only recently, and cryptoapicert re-write only a week ago. It took a while to get a hang of the provider framework. Given that I do this during off-hours, I may take a week or two to have something worth sharing. > > > If Arne is adding a provider implementation for this, maybe I > > should hold off? > > I am currently trying to get together a "small" provider by adapting > code from https://github.com/tpm2-software/tpm2-openssl. My provider > implmentation is already 600 lines of code since you need a lot of > boiler plate code. But the whole documentation of provider API is not as > great as it could be. You get documentation of all the function but you > to figure yourself how all that fits together. > OpenSSL has always been like that isn't it -- one could never write anything based on docs alone. I have seen the tpm2 code. That, along with the built-in provider implementations in OpenSSL, seems to fill some of the gaps in documentation. There were also some discussions and questions in OpenSSL repo (issues) when the tpm2 guys were developing it. But I haven't seen any code that deals with non-default providers in the SSL context, especially when one wants to mix providers (default for most things + custom for keymgmt & signature only). I hope to have something ready at the end of the month. > For a working patch I'll also take a similar amount of time. Depending on how it goes, I'll wait, or post my feature branch for discussion. I'm totally open, and we do not have to go with my approach even if I come up with something. In any case, some discussion may be useful/required to make the basic framework re-usable for all "external key" situations. Cheers, Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
