mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

"Downgrade" provider-native keys to legacy where needed

Browse Source 
Some sub-systems and openssl sub-commands do not yet deal cleanly with
purely provider-native EVP_PKEYs.  We compensate that by "downgrading"
keys in select places, or ensure that the 'file:' scheme ENGINE loader
is activated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)
This commit is contained in:
Richard Levitte 2020-08-05 10:28:51 +02:00
parent b527564884
commit a10847c427
6 changed files with 83 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
apps/cms.c
View File

@ -866,6 +866,13 @@ int cms_main(int argc, char **argv)
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
if (key == NULL)
goto end;
/*
* TODO: Remove this when CMS has full support for provider-native
* EVP_PKEYs
*/
if (EVP_PKEY_get0(key) == NULL)
goto end;
}
in = bio_open_default(infile, 'r', informat);
@ -1064,6 +1071,14 @@ int cms_main(int argc, char **argv)
ret = 2;
goto end;
}
/*
* TODO: Remove this when CMS has full support for provider-native
* EVP_PKEYs
*/
if (EVP_PKEY_get0(key) == NULL)
goto end;
for (kparam = key_first; kparam; kparam = kparam->next) {
if (kparam->idx == i) {
tflags |= CMS_KEY_PARAM;

16
apps/smime.c
View File

@ -477,6 +477,14 @@ int smime_main(int argc, char **argv)
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
if (key == NULL)
goto end;
/*
* TODO: Remove this when CMS has full support for provider-native
* EVP_PKEYs
*/
if (EVP_PKEY_get0(key) == NULL)
goto end;
}
in = bio_open_default(infile, 'r', informat);
@ -571,6 +579,14 @@ int smime_main(int argc, char **argv)
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
if (key == NULL)
goto end;
/*
* TODO: Remove this when CMS has full support for provider-native
* EVP_PKEYs
*/
if (EVP_PKEY_get0(key) == NULL)
goto end;
if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags))
goto end;
X509_free(signer);

11
crypto/pkcs7/pk7_lib.c
View File

@ -319,6 +319,17 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
goto err;
/*
* TODO(3.0) Adapt for provider-native keys
* Meanwhile, we downgrade the key.
* #legacy
*/
if (!evp_pkey_downgrade(pkey)) {
PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET,
PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
goto err;
}
/* lets keep the pkey around for a while */
EVP_PKEY_up_ref(pkey);
p7i->pkey = pkey;

13
test/evp_extra_test.c
View File

@ -33,6 +33,14 @@
#include "internal/sizes.h"
#include "crypto/evp.h"
#ifndef OPENSSL_NO_SM2
/*
* TODO(3.0) remove when provider SM2 keymgmt is implemented and
* EVP_PKEY_set_alias_type() works with provider-native keys.
*/
# define TMP_SM2_HACK
#endif
static OPENSSL_CTX *testctx = NULL;
/*
@ -881,6 +889,11 @@ static int test_EVP_SM2_verify(void)
if (!TEST_true(pkey != NULL))
goto done;
#ifdef TMP_SM2_HACK
if (!TEST_ptr(EVP_PKEY_get0(pkey)))
goto done;
#endif
if (!TEST_true(EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)))
goto done;

11
test/recipes/20-test_pkeyutl.t
View File

@ -24,14 +24,21 @@ SKIP: {
skip "Skipping tests that require EC, SM2 or SM3", 2
if disabled("ec") || disabled("sm2") || disabled("sm3");
# TODO(3.0) Remove this when we have a SM2 keymgmt and decoder
my @tmp_sm2_hack = qw(-engine loader_attic)
unless disabled('dynamic-engine') || disabled('deprecated-3.0');
skip "Skipping tests that require dynamic enginess (temporary meaasure)", 2
unless @tmp_sm2_hack;
# SM2
ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, '-sign',
'-in', srctop_file('test', 'certs', 'sm2.pem'),
'-inkey', srctop_file('test', 'certs', 'sm2.key'),
'-out', 'sm2.sig', '-rawin',
'-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
"Sign a piece of data using SM2");
ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack,
'-verify', '-certin',
'-in', srctop_file('test', 'certs', 'sm2.pem'),
'-inkey', srctop_file('test', 'certs', 'sm2.pem'),
'-sigfile', 'sm2.sig', '-rawin',

30
test/recipes/25-test_req.t
View File

@ -29,6 +29,14 @@ if (disabled("rsa")) {
note("There should not be more that at most 80 per line");
}
# TODO(3.0) This should be removed as soon as missing support is added
# Identified problems:
# - SM2 lacks provider-native keymgmt and decoder
# - ED25519, ED448, X25519 and X448 signature implementations do not
# respond to the "algorithm-id" parameter request.
my @tmp_loader_hack = qw(-engine loader_attic)
unless disabled('dynamic-engine') || disabled('deprecated-3.0');
# Check for duplicate -addext parameters, and one "working" case.
my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
"-config", srctop_file("test", "test.cnf"), @req_new );
@ -135,15 +143,15 @@ subtest "generating certificate requests with Ed25519" => sub {
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 2
if disabled("ec");
if disabled("ec") || !@tmp_loader_hack;
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq-ed25519.pem", "-utf8",
"-key", srctop_file("test", "tested25519.pem")])),
"Generating request");
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq-ed25519.pem", "-noout"])),
"Verifying signature on request");
@ -155,15 +163,15 @@ subtest "generating certificate requests with Ed448" => sub {
SKIP: {
skip "Ed448 is not supported by this OpenSSL build", 2
if disabled("ec");
if disabled("ec") || !@tmp_loader_hack;
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq-ed448.pem", "-utf8",
"-key", srctop_file("test", "tested448.pem")])),
"Generating request");
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq-ed448.pem", "-noout"])),
"Verifying signature on request");
@ -187,28 +195,28 @@ subtest "generating SM2 certificate requests" => sub {
SKIP: {
skip "SM2 is not supported by this OpenSSL build", 4
if disabled("sm2");
ok(run(app(["openssl", "req",
if disabled("sm2") || !@tmp_loader_hack;
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
"-sigopt", "distid:1234567812345678",
"-out", "testreq-sm2.pem", "-sm3"])),
"Generating SM2 certificate request");
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq-sm2.pem", "-noout",
"-vfyopt", "distid:1234567812345678", "-sm3"])),
"Verifying signature on SM2 certificate request");
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
"-sigopt", "hexdistid:DEADBEEF",
"-out", "testreq-sm2.pem", "-sm3"])),
"Generating SM2 certificate request with hex id");
ok(run(app(["openssl", "req",
ok(run(app(["openssl", "req", @tmp_loader_hack,
"-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq-sm2.pem", "-noout",
"-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),