'Re: [Opensc-devel] libp11: deprecation of PKCS11_generate_key'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensc-devel
Subject:    Re: [Opensc-devel] libp11: deprecation of PKCS11_generate_key
From:       William Roberts <bill.c.roberts () gmail ! com>
Date:       2020-12-02 19:06:24
Message-ID: CAFftDdqbzLzvxx+XyiL0xh09ZfwLCxax6o56UO0zhTK63okq1g () mail ! gmail ! com
[Download RAW message or body]

On Wed, Dec 2, 2020 at 12:53 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> 
> On Wed, Dec 2, 2020 at 9:29 AM Eliot Roxbergh via Opensc-devel
> <opensc-devel@lists.sourceforge.net> wrote:
> > 
> > Regarding the deprecation of PKCS11_generate_key in libp11
> > (pkcs11_engine),
> > 
> > To generate keypairs in an HSM, I am currently using OpenSSL and
> > libp11. This is possible from OpenSSL by calling the pkcs11 engine with
> > control command "KEYPAIR_GEN_CTRL". However, since this functionality (
> > PKCS11_generate_key) is said to be deprecated in libp11 0.5.0, I ask if
> > there is another way of doing this.
> > 
> > As far as I understand, unlike the other functions which are to be
> > deprecated, to generate keys inside of the HSM is not supported
> > directly by OpenSSL. There must be something I am missing.
> 
> The deprecated function used to generate the key material and the store them
> to the card. The routine was re-implemented and taken off the deprecated list
> when the implementation was changed to create the key on the HSM directly
> via the PKCS11 call C_GenerateKeyPair. This was done in this PR:
> - https://github.com/OpenSC/libp11/pull/188/files
> 
> What's really confusing to me, is that it got re-deprecated again in a
> subsequent commit:
> - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f
> 
> Even though the implementation looks right:
> - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f#diff-deee9b449d96805726eeedbf74c24211ebcb3ed246f6fc3ac063d675b6fe5b7fR132
>  
> I'm wondering if a bad merge or something occurred, and that
> DEPRECATED should go away?
> 
> > 
> > Naturally, it would be possible to generate the keys outside of the HSM
> > and then store them therein, but this is of course not acceptable for
> > security reasons.
> 
> Yeah, that's less than ideal, and that's the old implementation that
> was changed by PR #188

This seems like a bug, thus I filed one:
  - https://github.com/OpenSC/libp11/issues/377

I have a PR here:
  - https://github.com/OpenSC/libp11/pull/378

Lets see what the maintainers have to say.

> 
> > 
> > Best regards,
> > Eliot Roxbergh
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Opensc-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel


_______________________________________________
Opensc-devel mailing list
Opensc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic