openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

load provider keys from handle

Open mcr opened this issue 4 months ago • 2 comments

This code uses the openssl 3.x OSSL_STORE_* APIs to load key objects. The older d2i_* and PEM_read_* do not interact at all with providers. This does not solve generating keys using a provider.

mcr avatar Aug 13 '25 21:08 mcr

"handle" seems to be a TPM terminology. Since OpenSSL's man page for OSSL_STORE_open() only says that it takes an URI, "uri" would be a better name here.

This needs changes:

  • Please add tests.
  • The code formatting should match the existing style.
  • OSSL_STORE_INFO_get1_PKEY() appears to handle private keys only, not public keys or parameters-only pkeys.
  • The second parameter pwd is unused.
  • OSSL_STORE and OSSL_STORE_INFO are not freed.

rhenium avatar Aug 27 '25 06:08 rhenium

The older d2i_* and PEM_read_* do not interact at all with providers.

ruby/openssl uses OSSL_DECODER with OpenSSL 3 instead of d2i_*() and PEM_read_*() functions. It does actually interact with providers, as long as the provider supports encoding the key reference into DER/PEM.

Support for OSSL_STORE_open() would be useful. This should resolve https://github.com/ruby/openssl/issues/722.

rhenium avatar Aug 27 '25 07:08 rhenium