-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of none botan private keys for signing certificates. #3867
base: master
Are you sure you want to change the base?
Conversation
Thanks for raising this issue. Do I understand correctly that you have encapsulated PKCS#11 access to your HSMs in your own library, but want to sign certificates using Botan's X.509 module with keys in your HSM? If so, then instead of trying to derive from |
Maybe it is easier to understand if you look at the source code (working) for the signing. Below is my implementation of
|
What I see is that your I'd still suggest you derive from |
Here are the 2 methods you were interested in (
I am already implementing the
The purpose of the pull request is to allow use of some parts of the Botan API that is now hidden to the world outside Botan, These classes needs to be public for my
|
Are you building on Windows with Visual Studio/MSVC? I am asking because deriving from |
I'm building on Linux with g++. As I said before everything work just fine with the patches in this pull request. |
My point is that it should work without making
Exposing |
|
This is actually a regression, which we'll handle via #3878. Thanks for pointing this out! |
This is done to make it possible to use none Botan private keys when signing certificates.
a727402
to
6e24ec3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I would not have anticipated this usage but it seems fine to expose both of these classes.
@larssilven one requested change regarding the version numbers. Otherwise lgtm
@@ -13,7 +13,7 @@ | |||
|
|||
namespace Botan { | |||
|
|||
class PSS_Params final : public ASN1_Object { | |||
class BOTAN_PUBLIC_API(2, 0) PSS_Params final : public ASN1_Object { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be 3, 5
since 3.5 would be the first version where this was part of the public API
@@ -23,7 +23,7 @@ namespace Botan::PKCS11 { | |||
* for RSA (encryption/decryption, signature/verification) | |||
* and EC (ECDSA signature/verification, ECDH key derivation). | |||
*/ | |||
class MechanismWrapper final { | |||
class BOTAN_PUBLIC_API(2, 0) MechanismWrapper final { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likewise should be 3, 5
I got my own library for pkcs#11 with classes for different kind of keys.
When signing certificates I have created my own
PKCS11_RSA_Signature_Operation
that implements yourPK_Ops::Signature
.This works fine but I had to make some of the Botan internal API public. The changes that I made is in this pull request.
The reason that I can not use your p11 private key class is that:
A better alternative than making part of Botan API public could be to define a callback interface with the key signing that I could implement. Then I could call botan directly with my private key class.
I would appreciate any help to solve my issue.
BR Lars