New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl pkcs12
fails (but returns 0) when oqsprovider is not enabled in config file
#24196
Comments
So I guess there are two different issues going on here:
|
I didn't tried before but I just did, and it doesn't seem to matter the position of |
action: investigate root cause of this issue |
I've managed to go through the steps above, and have re-created the conditions noted. On the last command, with a disabled provider, this is what I observe:
I'm using the head of the openssl master branch here, rather than 3.2.1, so it appears that the exit code issue has been resolved, though I don't immediately see the commit that fixed it. As for the duplicate oids, I'm looking into that, and it appears that the oqs provider is attempting to register OID's twice, unsure as to why. Though it begs teh question as to why an inactive provider is attempting to load here at all (though I suppose its moot if the provider loads but doesn't activate). Its also less relevant as there some documentation that indicates the provider does this on purpose for some older issue. At this point I'm feeling like this might be for the most part a resolved issue |
To add some notes here, I reran the above reproducer on openssl 3.2.1 If I follow all the cert/key creation steps, then run the last command:
with OPENSSL_CONF=~/oqs/openssl-ca-disabled.cnf The output I get is:
Which makes sense, as the provider isn't findable (as I have it in a non-standard location), and teh application exit code is 1, so that all seems to be aligned properly. If I instead add the provider path, or set OPENSSL_MODULES=~/git/oqs-provider/_build/lib Then I get:
The server.p12 file is produced and the exit code is 0, so that also seems aligned as well The remaining issue here are teh errors that appear on the error stack. Those are occuring because the oqs-provider is effectively calling OBJ_create twice for every NID it wants to register in OQS_PROVIDER_ENTRYPOINT_NAME. It calls it once, indirectly by calling c_obj_create for every alg/oid pair it wants to register, and then does so again in this code:
From the referenced discussion, this seems to have been done intentionally to ensure that the requested oids are visible to both the core and the provider. Given that they seem aware of this, I would suggest that the proper fix would be to clear the error stack after calling OBJ_create with a call to ERR_clear_error(). |
Thanks for this thorough analysis, @nhorman ! Will do as you suggest. |
Oops -- just noticed that's already in open-quantum-safe/oqs-provider#404. Thanks @bencemali! |
OpenSSL: 3.2.1
liboqs: 0.10.0
oqs-provider: 0.6.0
When I try to generate a
.p12
file from a PQC private key and a certificate, the command fails returning 0 if the provider is not enabled inopenssl.cnf
and manually enabled using-provider
flag. The error I get is quite confusing:The following can be used to reproduce the issue with my exact same setup (Arch Linux + liboqs as shared library + latest oqs-provider):
See also: open-quantum-safe/oqs-provider#400
The text was updated successfully, but these errors were encountered: