From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: keyrings@vger.kernel.org
Subject: Re: [PATCH] support other engines for module signing
Date: Wed, 17 Oct 2018 15:10:17 +0000 [thread overview]
Message-ID: <1539789017.3769.14.camel@HansenPartnership.com> (raw)
In-Reply-To: <alpine.LFD.2.21.1810171142300.20697@hatman>
On Wed, 2018-10-17 at 08:05 -0700, David Woodhouse wrote:
> On Wed, 2018-10-17 at 07:43 -0700, James Bottomley wrote:
> > On Wed, 2018-10-17 at 15:40 +0100, David Howells wrote:
> > > James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> > >
> > > > > Allow sign-file to use any available OpenSSL engine, not
> > > > > limited
> > > > > to PKCS-11 by using "enginename:keyname" syntax. We have to
> > > > > do a
> > > > > special case for pkcs11 key name passing.
> > > >
> > > > There's actually already a proposal for this which David
> > > > (Howells)
> > > > has
> > > > been ignoring:
> > >
> > > Not so much ignoring as it just keeps getting buried.
> >
> > Understood. What I really need is my patch testing by someone at
> > Red
> > Hat: the pkcs11 token you use looks highly non-standard so someone
> > needs to check that adding generic engine support doesn't break it.
>
> Que?
>
> Which PKCS#11 token are you talking about? Or do you mean the PKCS#11
> engine, which is the normal one from https://github.com/OpenSC/libp11
>
> I think it does support using the UI for callbacks. Your trick of
> passing through to pem_pw_cb should probably work fine, as long as
> there's only ever one password. It should be trivial to test using
> SoftHSM or any other soft token, even if you have no actual hardware-
> based PKCS#11 tokens.
It didn't look like a normal one. In fact it doesn't use UI callbacks
at all: it passes the key password in with an engine command. That's
why I left it specifically cased out in the file. Now if it does
actually work normally, the special casing can be removed.
> > > > https://marc.info/?l=linux-keyrings&m\x151845297302654&w=2
> > > >
> > > > It tries to use the correct UI callbacks, which yours is
> > > > missing.
> > >
> > > If this works for Mark and Dave, then I could take this instead.
>
> AFAICT you're still only ever loading the "pkcs11" engine there. Is
> there another patch I missed?
No, the requirement seemed to be to add the engine to the openssl
config file. There's no reason why an additional command parameter
can't be added, though.
James
next prev parent reply other threads:[~2018-10-17 15:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-17 10:43 [PATCH] support other engines for module signing Mark J Cox
2018-10-17 13:26 ` David Woodhouse
2018-10-17 14:34 ` James Bottomley
2018-10-17 14:40 ` David Howells
2018-10-17 14:43 ` James Bottomley
2018-10-17 15:05 ` David Woodhouse
2018-10-17 15:10 ` James Bottomley [this message]
2018-10-17 15:18 ` David Woodhouse
2018-10-17 15:28 ` James Bottomley
2018-10-17 15:48 ` David Woodhouse
2018-10-17 16:03 ` David Woodhouse
2018-10-17 16:41 ` James Bottomley
2018-10-17 17:04 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539789017.3769.14.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=keyrings@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.