Closed ambrisko closed 12 months ago
Thanks for your report. Please provide the elements requested in a bug report, including in this case
../openssl_install/bin/openssl list -providers -verbose -provider-path /data/home/ambrisko/ucs/repo/git/adopter/ucs-adopters/uefi_keys/post_quantum_crypto_provider/openssl_install/lib/ossl-modules -provider default -provider oqsprovider
and ../openssl_install/bin/openssl list -signature-algorithms -provider-path /data/home/ambrisko/ucs/repo/git/adopter/ucs-adopters/uefi_keys/post_quantum_crypto_provider/openssl_install/lib/ossl-modules -provider default -provider oqsprovider
Lastly, to eliminate any issues with a build error on your side, please run your CMS test commands in our pre-built docker image docker run -it openquantumsafe/oqs-ossl3
: They ought to work there as CMS testing is part of CI. No need to pass any -provider
or -provider-path
parameters there.
Please provide full command and output traces so we can try to understand what's happening. "Exit 1" is not sufficiently tell-tale for us.
Okay, I wanted to sanity check that this is supposed to work before digging into details.
Found the issue was a missing -md sha512 in the signing command. Now works with 3.1.1 and 3.2-dev. Fails with 3.0.9.
When I use the fork https://github.com/open-quantum-safe/openssl, I can do openssl cms sign and verify but with the provider it silently exits:
In these versions, CMS functionality implemented in providers is not supported: The resolution of https://github.com/openssl/openssl/issues/17717 has not been not getting back-ported to OpenSSL3.0.
Also not supported in this version are provider-based signature algorithms used during TLS1.3 operations as documented in https://github.com/openssl/openssl/issues/10512. 3.2(-dev)
After https://github.com/openssl/openssl/pull/19312 landed, (also PQ) signature algorithms are working in TLS1.3 (handshaking); after https://github.com/openssl/openssl/pull/20486 has landed, also algorithms with very long signatures are supported.
Maybe I'm missing something. CMS verify works with fine with the provider if I use the OpenSSL fork to do the signing.