Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use EVP_PKEY for RSA operations with OpenSSL #48256

Closed
wants to merge 6 commits into from
Closed

Use EVP_PKEY for RSA operations with OpenSSL #48256

wants to merge 6 commits into from

Conversation

bartonjs
Copy link
Member

In OpenSSL 3.0 most of the interactions with RSA* are deprecated, callers are expected
to use the EVP_PKEY*-based higher-level API.

This change replaces almost all of pal_rsa with EVP_PKEY-based functions, using the newer
model of having functions that describe the operation instead of trying to be as thin a shim
as possible. The other significant/visible change is that the OpenSSL layer interaction to
RSAParameters has changed from specifying BN* values to exchanging key format blobs.

This change also saves the current state of RSAOpenSsl (shared between
Unix (OpenSsl) and Android (Android platform via JNI)) into a new RSAAndroid
class, and splits off Android-specific versions of Interop files that changed in
ways that might impact that platform standup.

Contributes to #46526.

@bartonjs
Use EVP_PKEY for RSA operations with OpenSSL
374b9a9 
Creates a copy of the current RSAOpenSsl type for Android
@bartonjs bartonjs added this to the 6.0.0 milestone Feb 13, 2021
@bartonjs bartonjs self-assigned this Feb 13, 2021
@ghost
Copy link

ghost commented Feb 13, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

In OpenSSL 3.0 most of the interactions with RSA* are deprecated, callers are expected
to use the EVP_PKEY*-based higher-level API.

This change replaces almost all of pal_rsa with EVP_PKEY-based functions, using the newer
model of having functions that describe the operation instead of trying to be as thin a shim
as possible. The other significant/visible change is that the OpenSSL layer interaction to
RSAParameters has changed from specifying BN* values to exchanging key format blobs.

This change also saves the current state of RSAOpenSsl (shared between
Unix (OpenSsl) and Android (Android platform via JNI)) into a new RSAAndroid
class, and splits off Android-specific versions of Interop files that changed in
ways that might impact that platform standup.

Contributes to #46526.

Author: bartonjs
Assignees: bartonjs
Labels:

area-System.Security
Milestone: 6.0.0

@jkoritzinsky
Copy link
Member

cc:@AaronRobinsonMSFT @elinor-fung

Base automatically changed from master to main March 1, 2021 09:07
@bartonjs
Copy link
Member Author

bartonjs commented Mar 5, 2021

Hm, still passing on my machine and failing in the lab.

I'll probably close this today and start over with smaller pieces to see where things go wrong. Probable order:

  • Move keygen (better OpenSSL 3 FIPS support)
  • Move private key operations (eliminate RsaPaddingProcessor)
  • Change parameter import/export
  • Move public key operations / delete SafeRsaHandle.

@bartonjs bartonjs closed this Mar 8, 2021
@vcsjones vcsjones mentioned this pull request Mar 10, 2021
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Apr 7, 2021
@bartonjs bartonjs removed their assignment Jul 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vcsjones vcsjones vcsjones left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@bartonjs @jkoritzinsky @vcsjones