Open dlansky1 opened 1 month ago
For rationale see https://www.openssl.org/docs/man3.0/man7/migration_guide.html and
Use of the low level APIs has been informally discouraged by the OpenSSL development team for a long time. However in OpenSSL 3.0 this is made more formal. All such low level APIs have been deprecated. You may still use them in your applications, but you may start to see deprecation warnings during compilation (dependent on compiler support for this). Deprecated APIs may be removed from future versions of OpenSSL so you are strongly encouraged to update your code to use the high level APIs instead.
@liyi77 is this something you can pick up again?
I did do some attempt on this: [ec] https://github.com/liyi77/libspdm/commit/0f536df9b3d016538ed0e1dc8e4ba811ade73658 [rsa] https://github.com/liyi77/libspdm/commit/bccc4b1782b7931793575d4a51d5ea7dc3c45910 [hmac] https://github.com/liyi77/libspdm/commit/f432f4071334cfdedcbc8c22d8a1873c9511f95e
This should be a broader issue instead of just ec: The current crypto implementation uses many 3.0 deprecated APIs, such as in hash hmac rsa ec.. Unfortunately I found some issues such as: The new RSA API does not support configuring all RSA params, The new Hmac API cannot fully replicate the hmac context. This is just a draft so there may be more issues.
The openssl community has confirmed that they don't have plan to delete these deprecated APIs before openssl 4, so we can continue to use them until EOL(Version 3.0 will be supported until 2026-09-07).
When using the deprecated APIs (for EC atleast), some openssl features cannot be used. Specifically, only default provider can be used. Please consider this when deciding whether to move away from the deprecated APIs.
I am curious about what ec features cannot be used, can you give me an example?
For this issue, feel free assign to me once it get confirmed.
The new API allows using openssl providers, see here: https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md
@dlansky1 if you have a need for this feel free to submit a pull request. This is desirable but we are focused on the SPDM 1.3 implementation at the moment.
Hi,
As part of "Move low-level crypto API away for OpenSSL 3.0" (see #1094) it looks like EC_KEY conversion was missed out. Is it possible to convert EC_KEY to new API, i.e. EVP_PKEY* ? See also #1111.
Thanks,