Hi Arne On Sat, Sep 18, 2021 at 11:22 AM Selva Nair <selva.n...@gmail.com> wrote:
> Hi Arne, > > On Fri, Sep 17, 2021 at 7:33 PM Arne Schwabe <a...@rfc2549.org> wrote: > >> > > If Arne is adding a provider implementation for this, maybe I >> > > should hold off? >> > >> > I am currently trying to get together a "small" provider by adapting >> > code from https://github.com/tpm2-software/tpm2-openssl >> > <https://github.com/tpm2-software/tpm2-openssl>. My provider >> > implmentation is already 600 lines of code since you need a lot of >> > boiler plate code. But the whole documentation of provider API is >> not as >> > great as it could be. You get documentation of all the function but >> you >> > to figure yourself how all that fits together. >> > >> > >> > OpenSSL has always been like that isn't it -- one could never >> > write anything based on docs alone. I have seen the tpm2 code. That, >> > along with the built-in provider implementations in OpenSSL, seems to >> > fill some of the gaps in documentation. There were also some discussions >> > and questions in OpenSSL repo (issues) when the tpm2 guys were >> > developing it. But I haven't seen any code that deals with non-default >> > providers in the SSL context, especially when one wants to mix providers >> > (default for most things + custom for keymgmt & signature only). >> > >> > I hope to have something ready at the end of the month. >> > >> > >> > For a working patch I'll also take a similar amount of time. Depending >> > on how it goes, I'll wait, or post my feature branch for discussion. >> > I'm totally open, and we do not have to go with my approach even if I >> > come up with something. In any case, some discussion may be >> > useful/required to make the basic framework re-usable for all "external >> > key" situations. >> > >> If you want to have a look at my effort. I push my WIP here: >> https://github.com/schwabe/openvpn/commits/dco >> >> but currently it is really only mostly boilerplate stuff to figure out >> what OpenSSL really wants from me and what I need to do make it happy. >> Currently it calls some methods but none of which returns an error or I >> am missing something. I will probably need to deep dive in OpenSSL's own >> source code and figure out what is happening but that will probably have >> to wait till next week: >> >> PROVIDER INIT >> provider init >> extpki_get_reason_strings >> query operation: 22 >> extpki_unquery_operation >> extpki_object_open: STORE/OBJECT OPEN >> STORE/OBJECT SET_PARAMS, expected type: private key (4) >> STORE/OBJECT EOF >> STORE/OBJECT CLOSE >> >> Could not read key from extpki:1234 >> extpki_teardown >> > > Here is my working branch: https://github.com/selvanair/openvpn/tree/xkey-provider-v2 It should build on linux without errors, though with lots of deprecation warnings in old files. The executable will work and allow one to test key loading and some of other internals by running as tls-client with a normal key in a file -- not inlined key or external key. The key will get loaded into the provider and treated as opaque and still pass signature etc.. This is only for testing. See the last commit message for some details on this. Build with --enable debug. Note that the last commit made for testing will break signing with external keys until callbacks are connected plus some more. I should have a more complete version ready to hook up with backend callbacks by the end of the weekend. I skimmed through your branch. You need keymgmt_load to get the loading through store to work. As for other ops, implementing signature_sign_init and sign are not enough -- one needs digest_verify methods and digest_sign methods as well. This is because ssl-ctx has to be created in the context of our provider for sign to work, but then all public key ops also get delegated to us. It took a while for me to sort that out. Unfortunately this provider framework makes us write a metric ton of glue code code. Please feel free to nit-pick or otherwise-pick on the code. Cheers, Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
