> > If Arne is adding a provider implementation for this, maybe I > > should hold off? > > I am currently trying to get together a "small" provider by adapting > code from https://github.com/tpm2-software/tpm2-openssl > <https://github.com/tpm2-software/tpm2-openssl>. My provider > implmentation is already 600 lines of code since you need a lot of > boiler plate code. But the whole documentation of provider API is not as > great as it could be. You get documentation of all the function but you > to figure yourself how all that fits together. > > > OpenSSL has always been like that isn't it -- one could never > write anything based on docs alone. I have seen the tpm2 code. That, > along with the built-in provider implementations in OpenSSL, seems to > fill some of the gaps in documentation. There were also some discussions > and questions in OpenSSL repo (issues) when the tpm2 guys were > developing it. But I haven't seen any code that deals with non-default > providers in the SSL context, especially when one wants to mix providers > (default for most things + custom for keymgmt & signature only). > > I hope to have something ready at the end of the month. > > > For a working patch I'll also take a similar amount of time. Depending > on how it goes, I'll wait, or post my feature branch for discussion. > I'm totally open, and we do not have to go with my approach even if I > come up with something. In any case, some discussion may be > useful/required to make the basic framework re-usable for all "external > key" situations. > If you want to have a look at my effort. I push my WIP here: https://github.com/schwabe/openvpn/commits/dco
but currently it is really only mostly boilerplate stuff to figure out what OpenSSL really wants from me and what I need to do make it happy. Currently it calls some methods but none of which returns an error or I am missing something. I will probably need to deep dive in OpenSSL's own source code and figure out what is happening but that will probably have to wait till next week: PROVIDER INIT provider init extpki_get_reason_strings query operation: 22 extpki_unquery_operation extpki_object_open: STORE/OBJECT OPEN STORE/OBJECT SET_PARAMS, expected type: private key (4) STORE/OBJECT EOF STORE/OBJECT CLOSE Could not read key from extpki:1234 extpki_teardown Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
