libp11 icon indicating copy to clipboard operation
libp11 copied to clipboard

Published 20 hours ago verified publisher icon OpenSC

Implement new PKCS #11 3.0 features (ed25519, curve25519)

Open Jakuje opened this issue 4 years ago • 8 comments

OpenSC has some of the PKCS#11 features in the pipeline to get merged (OpenSC/OpenSC#2096, OpenSC/OpenSC#1854). Once they are in, it would be great if libp11 could use the new interfaces and the new key types and mechanisms.

Jakuje avatar Oct 12 '20 09:10 Jakuje

Opening one issue for several features makes tracking their implementation hard. Which new PKCS#11 3.0 features were actually implemented in OpenSC? Which of them do you consider useful for libp11?

mtrojnar avatar Oct 13 '20 18:10 mtrojnar

I think for libp11, it should be significantly easier as it should be enough to add definitions for new PKCS#11 3.0 API, try to use it (and fallback to 2.x API if not available) and support new key types ed25519, curve25519 so far.

Jakuje avatar Oct 13 '20 21:10 Jakuje

add definitions for new PKCS#11 3.0 API, try to use it (and fallback to 2.x API if not available)

Does support for new key types depend on it?

mtrojnar avatar Oct 14 '20 07:10 mtrojnar

Technically not, but the new key types are specified only in the 3.0 standard.

Jakuje avatar Oct 14 '20 08:10 Jakuje

https://en.wikipedia.org/wiki/KISS_principle

mtrojnar avatar Oct 14 '20 08:10 mtrojnar

I believe the main issue which needs to be addresses is: 1.6 Engines and "METHOD" APIs " "METHODS" (for example EVP_MD_meth_new, EVP_CIPHER_meth_new, EVP_PKEY_meth_new, RSA_meth_new, EC_KEY_METHOD_new, etc.). These functions are being deprecated in OpenSSL 3.0 ... Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers using the new Provider API and avoiding deprecated methods."

The way I read it, libp11 will need a provider interface in addition to the engine. Eventually OpenSSL will stop upgrading the engine and will finally drop it. Now is the time to get started. It will be easier to get changes included earlier rather than later.

This may also eliminate circular reference problems as listed in #294

dengert avatar Oct 22 '20 15:10 dengert

These functions are being deprecated in OpenSSL 3.0

@dengert What does OpenSSL 3.0 have to do with PKCS#11 3.0 (besides the version number)?

mtrojnar avatar Oct 22 '20 16:10 mtrojnar

Yes they are deprecated in 3.0, but can still be used for some time if application is compiled with -DOPENSSL_USE_DEPRECATED -DOPENSSL_API_COMPAT=0x10101000L

So that gives us time to create a provider and control its use using the above two defines.

Your right # 294 does not deal with OpenSSL 3.0 But it does deal with the way engines are loaded. Hopefully OpenSSL 3.0 providers will not have these same issues when loading a provider.

dengert avatar Oct 22 '20 16:10 dengert