search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

EVP_PKEY_copy_parameters fct call fails - OpenSSL 1.0.2n - patch788 #150

Closed kufrio closed 4 years ago

kufrio commented 6 years ago

Hi,

We tried some of the older patches (patch788, and similar one found in GitHub "before 06.06.2018"). Function call to EVP_PKEY_copy_parameters is failing:

https://github.com/mpeylo/cmpossl/blob/80223717caddd4d52cc23d842e862adc2f932566/crypto/cmp/cmp_ctx.c#L147

This fct is part of pkey_dup which is called from CMP_CTX_set1_pkey. Setting type to RSA after creating pkeyDup did not help. RSA type is the one we used in our code for generating pkey.

We are trying to set CMPv2 patch over OpenSSL 1.0.2n. Do you have some recommendation which patch to use from the available ones in GitHub?

The workaround was to use the code from patch 711:

static EVP_PKEY pkey_dup(const EVP_PKEY pkey) { EVP_PKEY *pkeyDup = EVP_PKEY_new(); if (!pkeyDup) goto err;

switch (pkey->type) {

ifndef OPENSSL_NO_RSA

case EVP_PKEY_RSA: EVP_PKEY_set1_RSA(pkeyDup, pkey->pkey.rsa); break;

endif

ifndef OPENSSL_NO_DSA

case EVP_PKEY_DSA: EVP_PKEY_set1_DSA(pkeyDup, pkey->pkey.dsa); break;

endif

ifndef OPENSSL_NO_DH

case EVP_PKEY_DH: EVP_PKEY_set1_DH(pkeyDup, pkey->pkey.dh); break;

endif

ifndef OPENSSL_NO_EC

case EVP_PKEY_EC: EVP_PKEY_set1_EC_KEY(pkeyDup, pkey->pkey.ec); break;

endif

default: CMPerr(CMP_F_PKEY_DUP, CMP_R_UNSUPPORTED_KEY_TYPE); goto err; } return pkeyDup;

err: if (pkeyDup) EVP_PKEY_free(pkeyDup); return NULL; }

DDvO commented 5 years ago

Unfortunately I overlooked your message of September.

Meanwhile there is a much more convenient way of building CMPforOpenSSL (also) for use with OpenSSL 1.0.2 - see the updated Quick-Start guide. Does this work for you?

kufrio commented 4 years ago

The update is on hold till we finish update of openssl to version 1.1.1d. Then we plan to use proper cmpv2 implementation for it. Which one do you recommend?

DDvO commented 4 years ago

Good that you move on to OpenSSL 1.1.1. The CMP contribution to OpenSSL is still under way and will likely available with the release of OpenSSL v3.0, which is officially planned for the last quarter of 2020. For now, as well as for use with any OpenSSL 1.1.x, I still recommend using the standalone libcmp build described in https://github.com/mpeylo/cmpossl/wiki/Quick-Start. For these more recent versions for OpenSSL the standalone builds typically work smoothly.