diff options
author | Richard Levitte <levitte@openssl.org> | 2020-08-05 10:28:51 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-09-03 17:48:32 +0200 |
commit | a10847c427744fb7e7d29953dee130a52251c027 (patch) | |
tree | a009c19372810a87154460cbbebe6e106dcf88c4 | |
parent | b5275648843ace1a441521823913ccbbebb8769c (diff) |
"Downgrade" provider-native keys to legacy where needed
Some sub-systems and openssl sub-commands do not yet deal cleanly with
purely provider-native EVP_PKEYs. We compensate that by "downgrading"
keys in select places, or ensure that the 'file:' scheme ENGINE loader
is activated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)
-rw-r--r-- | apps/cms.c | 15 | ||||
-rw-r--r-- | apps/smime.c | 16 | ||||
-rw-r--r-- | crypto/pkcs7/pk7_lib.c | 11 | ||||
-rw-r--r-- | test/evp_extra_test.c | 13 | ||||
-rw-r--r-- | test/recipes/20-test_pkeyutl.t | 11 | ||||
-rw-r--r-- | test/recipes/25-test_req.t | 30 |
6 files changed, 83 insertions, 13 deletions
diff --git a/apps/cms.c b/apps/cms.c index bcf2f44ce5..d154f460b3 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -866,6 +866,13 @@ int cms_main(int argc, char **argv) key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (key == NULL) goto end; + + /* + * TODO: Remove this when CMS has full support for provider-native + * EVP_PKEYs + */ + if (EVP_PKEY_get0(key) == NULL) + goto end; } in = bio_open_default(infile, 'r', informat); @@ -1064,6 +1071,14 @@ int cms_main(int argc, char **argv) ret = 2; goto end; } + + /* + * TODO: Remove this when CMS has full support for provider-native + * EVP_PKEYs + */ + if (EVP_PKEY_get0(key) == NULL) + goto end; + for (kparam = key_first; kparam; kparam = kparam->next) { if (kparam->idx == i) { tflags |= CMS_KEY_PARAM; diff --git a/apps/smime.c b/apps/smime.c index 5ecdc019d2..dbfcdbeb5a 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -477,6 +477,14 @@ int smime_main(int argc, char **argv) key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (key == NULL) goto end; + + /* + * TODO: Remove this when CMS has full support for provider-native + * EVP_PKEYs + */ + if (EVP_PKEY_get0(key) == NULL) + goto end; + } in = bio_open_default(infile, 'r', informat); @@ -571,6 +579,14 @@ int smime_main(int argc, char **argv) key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (key == NULL) goto end; + + /* + * TODO: Remove this when CMS has full support for provider-native + * EVP_PKEYs + */ + if (EVP_PKEY_get0(key) == NULL) + goto end; + if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags)) goto end; X509_free(signer); diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 797d1d2c25..d891ca22e8 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -319,6 +319,17 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) goto err; + /* + * TODO(3.0) Adapt for provider-native keys + * Meanwhile, we downgrade the key. + * #legacy + */ + if (!evp_pkey_downgrade(pkey)) { + PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET, + PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + goto err; + } + /* lets keep the pkey around for a while */ EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index bae6f2339b..f62e26c290 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -33,6 +33,14 @@ #include "internal/sizes.h" #include "crypto/evp.h" +#ifndef OPENSSL_NO_SM2 +/* + * TODO(3.0) remove when provider SM2 keymgmt is implemented and + * EVP_PKEY_set_alias_type() works with provider-native keys. + */ +# define TMP_SM2_HACK +#endif + static OPENSSL_CTX *testctx = NULL; /* @@ -881,6 +889,11 @@ static int test_EVP_SM2_verify(void) if (!TEST_true(pkey != NULL)) goto done; +#ifdef TMP_SM2_HACK + if (!TEST_ptr(EVP_PKEY_get0(pkey))) + goto done; +#endif + if (!TEST_true(EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2))) goto done; diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 543038cab9..3c135630f7 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -24,14 +24,21 @@ SKIP: { skip "Skipping tests that require EC, SM2 or SM3", 2 if disabled("ec") || disabled("sm2") || disabled("sm3"); + # TODO(3.0) Remove this when we have a SM2 keymgmt and decoder + my @tmp_sm2_hack = qw(-engine loader_attic) + unless disabled('dynamic-engine') || disabled('deprecated-3.0'); + skip "Skipping tests that require dynamic enginess (temporary meaasure)", 2 + unless @tmp_sm2_hack; + # SM2 - ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign', + ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, '-sign', '-in', srctop_file('test', 'certs', 'sm2.pem'), '-inkey', srctop_file('test', 'certs', 'sm2.key'), '-out', 'sm2.sig', '-rawin', '-digest', 'sm3', '-pkeyopt', 'distid:someid']))), "Sign a piece of data using SM2"); - ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', + ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, + '-verify', '-certin', '-in', srctop_file('test', 'certs', 'sm2.pem'), '-inkey', srctop_file('test', 'certs', 'sm2.pem'), '-sigfile', 'sm2.sig', '-rawin', diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 8d26be2bf0..544d32963c 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -29,6 +29,14 @@ if (disabled("rsa")) { note("There should not be more that at most 80 per line"); } +# TODO(3.0) This should be removed as soon as missing support is added +# Identified problems: +# - SM2 lacks provider-native keymgmt and decoder +# - ED25519, ED448, X25519 and X448 signature implementations do not +# respond to the "algorithm-id" parameter request. +my @tmp_loader_hack = qw(-engine loader_attic) + unless disabled('dynamic-engine') || disabled('deprecated-3.0'); + # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", "-config", srctop_file("test", "test.cnf"), @req_new ); @@ -135,15 +143,15 @@ subtest "generating certificate requests with Ed25519" => sub { SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ec") || !@tmp_loader_hack; - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-ed25519.pem", "-utf8", "-key", srctop_file("test", "tested25519.pem")])), "Generating request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-ed25519.pem", "-noout"])), "Verifying signature on request"); @@ -155,15 +163,15 @@ subtest "generating certificate requests with Ed448" => sub { SKIP: { skip "Ed448 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ec") || !@tmp_loader_hack; - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-ed448.pem", "-utf8", "-key", srctop_file("test", "tested448.pem")])), "Generating request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-ed448.pem", "-noout"])), "Verifying signature on request"); @@ -187,28 +195,28 @@ subtest "generating SM2 certificate requests" => sub { SKIP: { skip "SM2 is not supported by this OpenSSL build", 4 - if disabled("sm2"); - ok(run(app(["openssl", "req", + if disabled("sm2") || !@tmp_loader_hack; + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-key", srctop_file("test", "certs", "sm2.key"), "-sigopt", "distid:1234567812345678", "-out", "testreq-sm2.pem", "-sm3"])), "Generating SM2 certificate request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-sm2.pem", "-noout", "-vfyopt", "distid:1234567812345678", "-sm3"])), "Verifying signature on SM2 certificate request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-key", srctop_file("test", "certs", "sm2.key"), "-sigopt", "hexdistid:DEADBEEF", "-out", "testreq-sm2.pem", "-sm3"])), "Generating SM2 certificate request with hex id"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-sm2.pem", "-noout", "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), |