-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using PKCS#7 OpenSSL API #251
Comments
"Probably Yes" and "Possibly No" in that order: You are running
This OpenSSL version cannot handle OQS signatures in TLS operations as per documentation. That said, I cannot be entirely certain that this is the issue here without seeing the full OpenSSL stack trace leading to this error. What you could do to test this out is use OpenSSL3.2 instead and see whether the error persists. |
Thank you for looking into this. Unfortunately, bumping the OpenSSL version to Is there any other way for me to log openssl errors in more detail? Currently, I do it as such: while ((err_code = ERR_get_error()))
{
ERR_load_TS_strings();
uts_logger(ct, LOG_ERR, "---\nERR_error_string: '%s'\nERR_reason_error_string: '%s'\nERR_lib_error_string: '%s'\n---\n",
ERR_error_string(err_code, NULL), ERR_reason_error_string(err_code), ERR_lib_error_string(err_code));
} I'm not really familiar with OpenSSL C API and I can't find any documentation for it. |
You need to bump to 3.2. Any 3.1 variant doesn't have all the required capabilities.
Start from https://www.openssl.org/docs/manmaster/man3/ERR_print_errors.html |
My mistake, I bumped it to 3.2, I just messed up my comment here on GitHub :) |
OK -- then that isn't the issue. The API you're calling |
Just did a quick API check: This seems to activate the PKCS7 logic of OpenSSL. I am unsure as to whether this is fully provider enabled. At least, no reference to providers are made there -- unlike in the code for CMS, which does work OK with provider-based signature algorithms. Maybe @levitte can provide insight? |
Is this related only to oqsprovider? I.e. would using OQS-OpenSSL@1.1 fork solve this (I'm aware it is discontinued)? |
So I tried it with OQS-OpenSSL@1.1.1-stable fork and I get two more detailed errors:
|
Unfortunately, PKCS#7 and CMS aren't fully supported for use with providers... yet. |
@levitte Thank you for the response! I completely understand. Would you be able to provide at least non-specific timeframe for OpenSSLv3.3 or PKCS7+CMS functionality? Based on available info, I'm guessing Q1-2 of 2024 to start exploring this? |
Q2-2024 is a good target to start exploring, yeah. Or if you feel adventurous, have a look at what happens on https://github.com/openssl/openssl |
Thanks for the information. CMS does work reasonably well with |
The concrete things that's missing is a replacement mechanism for these ctrls: So basically, that's the bit that needs a better replacement to work with providers. |
There are similar ctrls for PKCS7, which I believe is what's hitting @Muzosh |
Understood (for encrypt/decrypt: I never tested that with |
I actually don't know. I would need some test cases that should trigger them, and time. |
Hello!
I'm having issues running timestamping server with oqsprovider.
I have this Dockerfile:
I can verify that
oqsprovider
is installed:All certificates and private keys I'm feeding it, are Dilithium5. Console openssl with oqsprovider can work with them without any issues.
In the software (using OpenSSL API), I was having issues with populating config values, proper keys, etc. But now, I'm stuck at function
TS_RESP_create_response
, which trows multiple OPENSSL errors (the software obtains them by repeatedly calling ERR_get_error() and printing them):I tried to fix that by running this code before-hand (with
#include <openssl/provider.h>
):, which runs successfully (I see both
no openssl error
andSuccessfully loaded provider
in the output. But still, this does not solve the issue and I'm still getting error:10800094:PKCS7 routines::signing not supported for this key type error.Environment (please complete the following information):
Please run the following commands to obtain the version information:
openssl version
:OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
openssl list -providers
: already posted hereHere is the certificate of a public key, associated with the private key used for signing.
I won't post private key here even if it is just a testing value, but I checked it's ASN1 structure and it's just regular
PrivateKeyInfo
with1.3.6.1.4.1.2.267.7.8.7
algorithm and 7456B octet string. Also, as I said, console openssl does not have issues working with this key.Is there something I'm missing? Is this even an issue related to OQSProvider?
The text was updated successfully, but these errors were encountered: