Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0

[Neal Gompa <neal@gompa.dev>]

On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote:
> The ENGINE interface has its limitations and it has been superseded
> by the PROVIDER API, it is deprecated in OpenSSL version 3.0.
> Some distros have started removing it from header files.
> 
> Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >=
> 3.
> 
> Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2,
> openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM
> and PKCS11 and comparing that the result is identical.
> 
> Jan Stancek (3):
>   sign-file,extract-cert: move common SSL helper functions to a header
>   sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
>   sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> 
>  MAINTAINERS          |   1 +
>  certs/Makefile       |   2 +-
>  certs/extract-cert.c | 138 +++++++++++++++++++++++--------------------
>  scripts/sign-file.c  | 134 +++++++++++++++++++++--------------------
>  scripts/ssl-common.h |  32 ++++++++++
>  5 files changed, 178 insertions(+), 129 deletions(-)
>  create mode 100644 scripts/ssl-common.h

The code looks fairly reasonable to me and behaves as expected.

I have been actively using this patch set for several weeks now across 
linux-6.9.y and now linux-6.10.y with good success.

It is in use in production for Fedora Asahi Linux kernels with good success. 
Thanks for the fixes. :)

Reviewed-by: Neal Gompa <neal@gompa.dev>

-- 
真実はいつも一つ！/ Always, there's only one truth!