From: Selva Nair <selva.n...@gmail.com> The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use.
Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we implement only keymgmt and signature operations and specify the property string as optional. That allows all operations we do not provide to be used from the default provider. Same as PR#161 https://github.com/OpenVPN/openvpn/pull/161 with fixup commits in there squashed and rebased to master. Requires OpenSSL 3.0.1 (released on Dec 14, 2021) or OpenSSL 3.0 or 3.1 dev branch post Oct 27. Selva Nair (18): A built-in provider for using external key with OpenSSL 3.0 Implement KEYMGMT in the xkey provider Implement SIGNATURE operations in xkey provider Implement import of custom external keys Initialize the xkey provider and use it in SSL context A helper function to import private key for management-external-key Enable signing via provider for management-external-key Add a function to encode digests with PKCS1 DigestInfo wrapper Allow management client to announce pss padding support Respect algorithm support announced by management client Support sending DigestSign request to management client Increase ERR_BUF_SIZE when management interface support is enabled Add a generic key loading helper function for xkey provider pkcs11: Interface the xkey provider with pkcs11-helper Enable signing using CNG through xkey provider Add a unit test for external key provider xkey-provider: Add a test for generic key load and signature Add xkey_provider sources and includes to MSVC project doc/man-sections/management-options.rst | 8 +- doc/management-notes.txt | 22 +- src/openvpn/Makefile.am | 2 + src/openvpn/cryptoapi.c | 241 ++++- src/openvpn/error.h | 4 +- src/openvpn/manage.h | 2 + src/openvpn/openssl_compat.h | 8 + src/openvpn/openvpn.vcxproj | 3 + src/openvpn/options.c | 31 +- src/openvpn/options.h | 2 + src/openvpn/pkcs11_openssl.c | 151 +++ src/openvpn/ssl.c | 5 + src/openvpn/ssl.h | 6 + src/openvpn/ssl_mbedtls.c | 6 + src/openvpn/ssl_openssl.c | 108 +- src/openvpn/xkey_common.h | 158 +++ src/openvpn/xkey_helper.c | 393 +++++++ src/openvpn/xkey_provider.c | 1189 ++++++++++++++++++++++ tests/unit_tests/openvpn/Makefile.am | 16 + tests/unit_tests/openvpn/test_provider.c | 403 ++++++++ 20 files changed, 2715 insertions(+), 43 deletions(-) create mode 100644 src/openvpn/xkey_common.h create mode 100644 src/openvpn/xkey_helper.c create mode 100644 src/openvpn/xkey_provider.c create mode 100644 tests/unit_tests/openvpn/test_provider.c -- 2.30.2 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel