Missing EVP_PKEY_meth_get_xxx methods?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing EVP_PKEY_meth_get_xxx methods?

Blumenthal, Uri - 0553 - MITLL

Moving to openssl-dev, because I think OpenSSL-1.0.2 needs a fix.

 

To be more specific, the following get methods are missing in 1.0.2:

 

- EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *,  …)

- EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *,  …)

- EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *,  …)

 

Note that the corresponding set methods are (thankfully) already present:

 

- EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *,  …)

- EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *,  …)

- EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *,  …)

 

Can I hope that these get methods would be added? Maybe even soon?

--

Regards,

Uri Blumenthal

 

From: Uri Blumenthal <[hidden email]>
Date: Sunday, October 01, 2017 at 19:59
To: <[hidden email]>
Subject: Re: [openssl-users] Missing EVP_PKEY method to set engine?

 

Thank you! 

 

I observe that in 1.1.x everything's fine - the structure evp_pkey_methods_st is opaque, but both getters and setters are defined and available. 

 

In 1.0.2 the structure is already opaque, the setters are present, but some getters are absent. Which makes it quite hard to work with members of this structure.

 

I think this is a bug, and two possible remedies INHO are: add getter functions for the members, or add/move this structure from evp-int.h to evp.h (so it's no longer opaque).

 

What is your opinion? 

 

Thanks!

 

Regards,

Uri

 

Sent from my iPhone


On Oct 1, 2017, at 18:54, Dr. Stephen Henson <[hidden email]> wrote:

On Fri, Sep 29, 2017, Blumenthal, Uri - 0553 - MITLL wrote:


Apologies in advance for cross-posting ??? but I???m not sure which of the two mailing lists this belongs to.

 

A key (say, private key) is loaded from the pkcs11 engine via privkey = ENGINE_load_private_key(engine, <whatever else>); and this operation succeeds.

 

However the resulting key handle has its engine == NULL. I looked for a method or a macro to explicitly set that value to the pointer to the engine that this key is bound to, but couldn???t find any. I define new methods such as pkcs11_pkey_rsa_decrypt(), and  try to make OpenSSL aware of them via:

 

        EVP_PKEY_METHOD *orig_pmeth = EVP_PKEY_meth_find(EVP_PKEY_RSA);

 

   EVP_PKEY_METHOD *pmeth = EVP_PKEY_meth_new(EVP_PKEY_RSA, EVP_PKEY_FLAG_AUTOARGLEN);

 

   EVP_PKEY_meth_copy(pmeth, orig_pmeth);

 

   EVP_PKEY_meth_get_decrypt(orig_pmeth, &pdecr_init, &pdecr);

 

   EVP_PKEY_meth_set_decrypt(pmeth, pdecr_init, pkcs11_pkey_rsa_decrypt);

 


There doesn't seem to be any easy way to do that for an existing method. If
the ENGINE has its own ASN.1 method things become easier.

A workaround might be to use a copy of an existing A workaround might be to
create a copy of an existing ASN.1 method but I've not tried that.


 

In ENGINE_set_pkey_meths(engine, pkey_meths) what should pkey_meths() actually be? Is it documented?

 

 


Not currently but it similar to the cipher/digest functions but handles
EVP_PKEY_METHOD instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Missing EVP_PKEY_meth_get_xxx methods?

Matt Caswell-2


On 02/10/17 15:00, Blumenthal, Uri - 0553 - MITLL wrote:

> Moving to openssl-dev, because I think OpenSSL-1.0.2 needs a fix.
>
>  
>
> To be more specific, the following get methods are missing in 1.0.2:
>
>  
>
> - EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *,  …)
>
> - EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *,  …)
>
> - EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *,  …)
>
>  
>
> Note that the corresponding set methods are (thankfully) already present:
>
>  
>
> - EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *,  …)
>
> - EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *,  …)
>
> - EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *,  …)
>
>  
>
> Can I hope that these get methods would be added? Maybe even soon?

Normally we don't add new features/functions to a stable release.
However our policy for 1.1.0 (which obviously made lots of structures
opaque), is that missing accessors are considered a bug - and we do add
those. The situation is less clear for 1.0.2 since most structures are
not opaque and we did not make wholesale opacity changes for that release.

If we had a PR to add them it might spur the discussion about whether
adding these is valid for 1.0.2 or not to a conclusion!! Fancy creating one?

Matt


>
> --
>
> Regards,
>
> Uri Blumenthal
>
>  
>
> *From: *Uri Blumenthal <[hidden email]>
> *Date: *Sunday, October 01, 2017 at 19:59
> *To: *<[hidden email]>
> *Subject: *Re: [openssl-users] Missing EVP_PKEY method to set engine?
>
>  
>
> Thank you! 
>
>  
>
> I observe that in 1.1.x everything's fine - the structure
> evp_pkey_methods_st is opaque, but both getters and setters are defined
> and available. 
>
>  
>
> In 1.0.2 the structure is already opaque, the setters are present, but
> some getters are absent. Which makes it quite hard to work
> with members of this structure.
>
>  
>
> I think this is a bug, and two possible remedies INHO are: add getter
> functions for the members, or add/move this structure from evp-int.h to
> evp.h (so it's no longer opaque).
>
>  
>
> What is your opinion? 
>
>  
>
> Thanks!
>
>  
>
> Regards,
>
> Uri
>
>  
>
> Sent from my iPhone
>
>
> On Oct 1, 2017, at 18:54, Dr. Stephen Henson <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On Fri, Sep 29, 2017, Blumenthal, Uri - 0553 - MITLL wrote:
>
>
>         Apologies in advance for cross-posting ??? but I???m not sure
>         which of the two mailing lists this belongs to.
>
>          
>
>         A key (say, private key) is loaded from the pkcs11 engine via
>         privkey = ENGINE_load_private_key(engine, <whatever else>); and
>         this operation succeeds.
>
>          
>
>         However the resulting key handle has its engine == NULL. I
>         looked for a method or a macro to explicitly set that value to
>         the pointer to the engine that this key is bound to, but
>         couldn???t find any. I define new methods such as
>         pkcs11_pkey_rsa_decrypt(), and  try to make OpenSSL aware of
>         them via:
>
>          
>
>                 EVP_PKEY_METHOD *orig_pmeth =
>         EVP_PKEY_meth_find(EVP_PKEY_RSA);
>
>          
>
>            EVP_PKEY_METHOD *pmeth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
>         EVP_PKEY_FLAG_AUTOARGLEN);
>
>          
>
>            EVP_PKEY_meth_copy(pmeth, orig_pmeth);
>
>          
>
>            EVP_PKEY_meth_get_decrypt(orig_pmeth, &pdecr_init, &pdecr);
>
>          
>
>            EVP_PKEY_meth_set_decrypt(pmeth, pdecr_init,
>         pkcs11_pkey_rsa_decrypt);
>
>          
>
>
>     There doesn't seem to be any easy way to do that for an existing
>     method. If
>     the ENGINE has its own ASN.1 method things become easier.
>
>     A workaround might be to use a copy of an existing A workaround
>     might be to
>     create a copy of an existing ASN.1 method but I've not tried that.
>
>
>          
>
>         In ENGINE_set_pkey_meths(engine, pkey_meths) what should
>         pkey_meths() actually be? Is it documented?
>
>          
>
>          
>
>
>     Not currently but it similar to the cipher/digest functions but handles
>     EVP_PKEY_METHOD instead.
>
>     Steve.
>     --
>     Dr Stephen N. Henson. OpenSSL project core developer.
>     Commercial tech support now available see: http://www.openssl.org
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Missing EVP_PKEY_meth_get_xxx methods?

Dr. Stephen Henson
On Mon, Oct 02, 2017, Matt Caswell wrote:

>
>
> On 02/10/17 15:00, Blumenthal, Uri - 0553 - MITLL wrote:
> > Moving to openssl-dev, because I think OpenSSL-1.0.2 needs a fix.
> >
> >  
> >
> > To be more specific, the following get methods are missing in 1.0.2:
> >
> >  
> >
> > - EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *,  ???)
> >
> > - EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *,  ???)
> >
> > - EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *,  ???)
> >
> >  
> >
> > Note that the corresponding set methods are (thankfully) already present:
> >
> >  
> >
> > - EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *,  ???)
> >
> > - EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *,  ???)
> >
> > - EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *,  ???)
> >
> >  
> >
> > Can I hope that these get methods would be added? Maybe even soon?
>
> Normally we don't add new features/functions to a stable release.
> However our policy for 1.1.0 (which obviously made lots of structures
> opaque), is that missing accessors are considered a bug - and we do add
> those. The situation is less clear for 1.0.2 since most structures are
> not opaque and we did not make wholesale opacity changes for that release.
>
> If we had a PR to add them it might spur the discussion about whether
> adding these is valid for 1.0.2 or not to a conclusion!! Fancy creating one?
>

Personally I'm in favour of adding these to 1.0.2, that structure has always
been opaque.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Missing EVP_PKEY_meth_get_xxx methods?

Blumenthal, Uri - 0553 - MITLL
Matt and Steve,

Thank you! I indeed fancied creating a PR to add those: https://github.com/openssl/openssl/pull/4452

;-)
--
Regards,
Uri Blumenthal

On 10/2/17, 12:41, "openssl-dev on behalf of Dr. Stephen Henson" <[hidden email] on behalf of [hidden email]> wrote:

    On Mon, Oct 02, 2017, Matt Caswell wrote:
    >
    >
    > On 02/10/17 15:00, Blumenthal, Uri - 0553 - MITLL wrote:
    > > Moving to openssl-dev, because I think OpenSSL-1.0.2 needs a fix.
    > >
    > >  
    > >
    > > To be more specific, the following get methods are missing in 1.0.2:
    > >
    > >  
    > >
    > > - EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *,  ???)
    > >
    > > - EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *,  ???)
    > >
    > > - EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *,  ???)
    > >
    > >  
    > >
    > > Note that the corresponding set methods are (thankfully) already present:
    > >
    > >  
    > >
    > > - EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *,  ???)
    > >
    > > - EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *,  ???)
    > >
    > > - EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *,  ???)
    > >
    > >  
    > >
    > > Can I hope that these get methods would be added? Maybe even soon?
    >
    > Normally we don't add new features/functions to a stable release.
    > However our policy for 1.1.0 (which obviously made lots of structures
    > opaque), is that missing accessors are considered a bug - and we do add
    > those. The situation is less clear for 1.0.2 since most structures are
    > not opaque and we did not make wholesale opacity changes for that release.
    >
    > If we had a PR to add them it might spur the discussion about whether
    > adding these is valid for 1.0.2 or not to a conclusion!! Fancy creating one?
    >
   
    Personally I'm in favour of adding these to 1.0.2, that structure has always
    been opaque.
   
    Steve.
    --
    Dr Stephen N. Henson. OpenSSL project core developer.
    Commercial tech support now available see: http://www.openssl.org
    --
    openssl-dev mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
   

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment