Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a workaround for RHEL 9.3/4 OpenSSL 3.0.7 EC export compressed bug? #348

Closed
space88man opened this issue Feb 22, 2024 · 2 comments
Closed

Is there a workaround for RHEL 9.3/4 OpenSSL 3.0.7 EC export compressed bug? #348

space88man opened this issue Feb 22, 2024 · 2 comments

Comments

@space88man
Copy link
Contributor

space88man commented Feb 22, 2024
edited
Loading

Describe the bug
To be clear this is a bug in RHEL 9.3 OpenSSL 3.0.7 ec_export but cannot be fixed in time for 9.4.

I am wondering if there is a workaround that pkcs11-provider can do during keymgmt import.

With OpenSSL 3.0.7 bug EC public key comparison will always fail: during export the point-format says "uncompressed" but the actual data in the OSSL_PARAMS is compressed (about half the size).
Thus cmp_attr(key1, key2, CKA_P11PROV_PUB_KEY) fails. I have observed that the data is always about half the size(compressed) compared to the uncompressed data from pkcs11-provider.

A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:

  1. Use OpenSSL 3.0.7 (e.g. from RHEL, compiled from upstream shows the same bug)
  2. softhsm2 with an EC key pair
  3. use s_server

Expected behavior
s_server loads

Operating environment (please complete the following information):

  • RHEL
  • 9.3 and soon 9.4

Token and application used (please complete the following information):

  • softhsm2 with EC keypair

Additional context
Add any other context about the problem here.
@simo5
Copy link
Member

simo5 commented Feb 22, 2024

We could try to detect the condition in code either as an heuristic, or based on probing what openssl version we are dealing with.
I do not see any other workaround.

space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 22, 2024
@space88man
Workaround compressed EC points from OpenSSL 3.0.7
c12e2ea 
Addresses latchset#348
@space88man space88man mentioned this issue Feb 22, 2024
Merged
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 22, 2024
@space88man
Workaround compressed EC points from OpenSSL 3.0.7
70efb9b 
Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 22, 2024
@space88man
Workaround compressed EC points from OpenSSL 3.0.7
6f8a32c 
Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 22, 2024
@space88man
Workaround compressed EC point from OpenSSL <= 3.0.7
2a86af3 
openssl/openssl#16595
OpenSSL <= 3.0.7 unconditionally exports EC public keys
in compressed format. Workaround this by creating the
uncompressed format for correct import.

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 22, 2024
@space88man
Workaround for compressed EC point from OpenSSL <= 3.0.7
f1ed513 
openssl/openssl#16595
OpenSSL <= 3.0.7 unconditionally exports EC public keys
in compressed format - create the uncompressed
format for correct import

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
@space88man
Copy link
Contributor Author

Shifting the discussion to the PR #349

space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 23, 2024
@space88man
Workaround for compressed EC point from OpenSSL <= 3.0.7
173855c 
openssl/openssl#16595
OpenSSL <= 3.0.7 unconditionally exports EC public keys
in compressed format - create the uncompressed
format for correct import

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 23, 2024
@space88man
Workaround for compressed EC point from OpenSSL <= 3.0.7
4abecd8 
openssl/openssl#16595
OpenSSL <= 3.0.7 unconditionally exports EC public keys
in compressed format - create the uncompressed
format for correct import

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 23, 2024
@space88man
Workaround for compressed EC point from OpenSSL <= 3.0.7
0e6be22 
openssl/openssl#16595
OpenSSL <= 3.0.7 unconditionally exports EC public keys
in compressed format - create the uncompressed
format for correct import

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
space88man added a commit to space88man/pkcs11-provider that referenced this issue Feb 23, 2024
@space88man
Detect compressed EC points and convert to uncompressed
5b03a56 
openssl/openssl#16595

Providers may export EC points in compressed format, e.g.,
OpenSSL < 3.0.8, and this format may not actually match
the OSSL_PARAM "point-format". Use heuristics to
detect compressed points and convert to uncompressed.

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
simo5 pushed a commit that referenced this issue Feb 26, 2024
@space88man @simo5
Detect compressed EC points and convert to uncompressed
3bb9a96 
openssl/openssl#16595

Providers may export EC points in compressed format, e.g.,
OpenSSL < 3.0.8, and this format may not actually match
the OSSL_PARAM "point-format". Use heuristics to
detect compressed points and convert to uncompressed.

Addresses #348

Signed-off-by: S-P Chan <[email protected]>
The-Mule pushed a commit to The-Mule/pkcs11-provider that referenced this issue Mar 12, 2024
@space88man @The-Mule
Detect compressed EC points and convert to uncompressed
40e0053 
openssl/openssl#16595

Providers may export EC points in compressed format, e.g.,
OpenSSL < 3.0.8, and this format may not actually match
the OSSL_PARAM "point-format". Use heuristics to
detect compressed points and convert to uncompressed.

Addresses latchset#348

Signed-off-by: S-P Chan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simo5 @space88man