Hi Arne, On Fri, Sep 17, 2021 at 7:33 PM Arne Schwabe <a...@rfc2549.org> wrote:
> > > If Arne is adding a provider implementation for this, maybe I > > > should hold off? > > > > I am currently trying to get together a "small" provider by adapting > > code from https://github.com/tpm2-software/tpm2-openssl > > <https://github.com/tpm2-software/tpm2-openssl>. My provider > > implmentation is already 600 lines of code since you need a lot of > > boiler plate code. But the whole documentation of provider API is > not as > > great as it could be. You get documentation of all the function but > you > > to figure yourself how all that fits together. > > > > > > OpenSSL has always been like that isn't it -- one could never > > write anything based on docs alone. I have seen the tpm2 code. That, > > along with the built-in provider implementations in OpenSSL, seems to > > fill some of the gaps in documentation. There were also some discussions > > and questions in OpenSSL repo (issues) when the tpm2 guys were > > developing it. But I haven't seen any code that deals with non-default > > providers in the SSL context, especially when one wants to mix providers > > (default for most things + custom for keymgmt & signature only). > > > > I hope to have something ready at the end of the month. > > > > > > For a working patch I'll also take a similar amount of time. Depending > > on how it goes, I'll wait, or post my feature branch for discussion. > > I'm totally open, and we do not have to go with my approach even if I > > come up with something. In any case, some discussion may be > > useful/required to make the basic framework re-usable for all "external > > key" situations. > > > If you want to have a look at my effort. I push my WIP here: > https://github.com/schwabe/openvpn/commits/dco > > but currently it is really only mostly boilerplate stuff to figure out > what OpenSSL really wants from me and what I need to do make it happy. > Currently it calls some methods but none of which returns an error or I > am missing something. I will probably need to deep dive in OpenSSL's own > source code and figure out what is happening but that will probably have > to wait till next week: > > PROVIDER INIT > provider init > extpki_get_reason_strings > query operation: 22 > extpki_unquery_operation > extpki_object_open: STORE/OBJECT OPEN > STORE/OBJECT SET_PARAMS, expected type: private key (4) > STORE/OBJECT EOF > STORE/OBJECT CLOSE > > Could not read key from extpki:1234 > extpki_teardown > My effort is in reasonably good shape -- I'll push it to my repo before the end of day. I have key loading through the provider working and can sign with it. Tested with a key in a file (which really doesn't need a provider) but exercises almost all code path. The rest should be easy. I saw a mention of a patch that removes all deprecation warnings -- except the external key related stuff. If you have that ready I would like to rebase on top of it. Right now I'm building with 1.1.0 API compatibility. Thanks, Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel