Comments (3)
Could you tell us which engine or provider you are using?
In the migration guide, the proposed alternative is the usage of OSSL_STORE. As far as I can tell, the PKey interface only supports BIO inputs.
Correct, ruby/openssl doesn't provider a wrapper for the OSSL_STORE API yet.
from openssl.
Hello,
We are trying to use the pkcs11-provider
to interact with AWS CloudHSM.
For now, I've created a small separate gem that can load an RSA private key from OSSL_STORE (the functionality is limited by our use case)
The extracted EVP_PKEY is then converted to an instance of OpenSSL::PKey::RSA similar to this: https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_engine.c#L375
The conversion seems like a bodge, but I haven't yet found any better options.
The implementation (error handling was omitted here):
VALUE ossl_provider_load_privkey(VALUE self, VALUE uri)
{
EVP_PKEY *privkey = NULL;
OSSL_STORE_INFO *info = NULL;
OSSL_STORE_CTX *store;
char *s_uri;
s_uri = NIL_P(uri) ? NULL : StringValueCStr(uri);
store = OSSL_STORE_open(s_uri, NULL, NULL, NULL, NULL);
for (info = OSSL_STORE_load(store); info != NULL; info = OSSL_STORE_load(store)) {
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
privkey = OSSL_STORE_INFO_get1_PKEY(info);
}
OSSL_STORE_INFO_free(info);
info = NULL;
}
OSSL_STORE_close(store);
return ossl_pkey_new(privkey);
}
It seems to do the job, but there are quite a few limitations. For example, calling to_pem
(or other methods that try to export a key) cause a segfault. It seems to be caused by the fact that some deprecated functions are still being used, like RSA_get0_key
(from a surface level debugging)
Sign/verify operations seem to work fine (even for mTLS). Encrypt/decrypt also works, but there with some quirks.
I could try to implement this and open a PR, but I'm not really sure what would be the best way to integrate it. The simplest and safest way would be to create a separate module, similar to engines, but it kinda goes against the idea of providers. On the other hand, the STORE API can be used universally, but I guess this will require to a lot of significant changes.
from openssl.
Just for your information: A Fedora Linux's OpenSSL RPM package owner is trying to drop the engine support because they said that these were not FIPS compatible and the API has been deprecated since OpenSSL 3.0. The owner Dmitry Belyavskiy is one of the maintainers in the OpenSSL project as far as I know. And importantly he said, "The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon.".
https://fedoraproject.org/wiki/Changes/OpensslNoEngine
We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon.
Below is a discussion about the change proposal in the Fedora project.
https://lists.fedoraproject.org/archives/list/[email protected]/thread/SEH75XSFCVS44VKDYOP2ZECLTH4YETNC/
from openssl.
Related Issues (20)
- FIPS: DH: OpenSSL::PKey.generate_parameters returning a value with block of break. HOT 7
- macos-latest truffeeruby-head: test_basic_response_response_operations failing HOT 3
- truffleruby-head 24.0.0-dev: Failing to compile dependant stringio gem. HOT 14
- OpenSSL::PKey::EC.new(nil).generate_key fails with OpenSSL::PKey::PKeyError HOT 6
- OpenSSL 3.2.0 - sessions, time, signed vs unsigned, failure with negative session timeout values HOT 6
- OpenSSL::SSL::SSLContext.new returns SSL_CTX_new: library has no ciphers HOT 6
- Respect system wide minimum TLS version HOT 2
- windows-latest 3.3 case failing with "OpenSSL::Provider::ProviderError: Failed to load legacy provider: (null) (name=legacy)" HOT 8
- OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS HOT 4
- Error "Failed to build gem native extension." when running "gem install openssl" in Fedora HOT 4
- OpenSSL udate 3.2.1 for CVE-2023-6129 HOT 3
- OpenSSL 3 support for loading engine keys HOT 3
- OpenSSL version 3.3.0-dev: OpenSSL::ASN1::ASN1Error: utctime/generalizedtime is too short HOT 7
- OpenSSL::ASN1.decode doesn't correctly parse UTCTime or GeneralizedTime with fractional seconds or a timezone
- remove file check to support proxied SSL connection HOT 5
- When decrypted with a different private key, `OpenSSL::PKey::RSAError` does not occur HOT 2
- Upcoming OpenSSL Webinar: Writing Your First OpenSSL Application
- Invalid CSR versions set in regress tests HOT 2
- OpenSSL::SSL::SSLError: SSL_write: unsupported method HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openssl.