-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of none botan private keys for signing certificates. #3867
base: master
Are you sure you want to change the base?
Conversation
Thanks for raising this issue. Do I understand correctly that you have encapsulated PKCS#11 access to your HSMs in your own library, but want to sign certificates using Botan's X.509 module with keys in your HSM? If so, then instead of trying to derive from |
Maybe it is easier to understand if you look at the source code (working) for the signing. Below is my implementation of
|
What I see is that your I'd still suggest you derive from |
Here are the 2 methods you were interested in (
I am already implementing the
The purpose of the pull request is to allow use of some parts of the Botan API that is now hidden to the world outside Botan, These classes needs to be public for my
|
Are you building on Windows with Visual Studio/MSVC? I am asking because deriving from |
I'm building on Linux with g++. As I said before everything work just fine with the patches in this pull request. |
My point is that it should work without making
Exposing |
|
This is actually a regression, which we'll handle via #3878. Thanks for pointing this out! |
a727402
to
6e24ec3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I would not have anticipated this usage but it seems fine to expose both of these classes.
@larssilven one requested change regarding the version numbers. Otherwise lgtm
6e24ec3
to
2afeb62
Compare
Any more problem my latest push? |
2afeb62
to
58fb36d
Compare
I got this info now:
But what should I do to have the merging done done automatically? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I should not have done any rebase?
Please have a look again. I think the version change to 3.6 has been done.
There's no automatic merging. This pull request is waiting on @randombit for merging. Thanks for applying the changes requested earlier. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CI is complaining about your formatting. Essentially the order of includes. The failures in Windows don't seem to be related (some package during setup fails to download).
--- /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_ecdh.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_ecdh.cpp
@@ -11,9 +11,9 @@
#if defined(BOTAN_HAS_ECDH)
#include <botan/der_enc.h>
+ #include <botan/p11_mechanism.h>
#include <botan/pk_ops.h>
#include <botan/rng.h>
- #include <botan/p11_mechanism.h>
namespace Botan::PKCS11 {
--- /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_ecdsa.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_ecdsa.cpp
@@ -10,10 +10,10 @@
#if defined(BOTAN_HAS_ECDSA)
+ #include <botan/p11_mechanism.h>
#include <botan/pk_ops.h>
#include <botan/rng.h>
#include <botan/internal/keypair.h>
- #include <botan/p11_mechanism.h>
namespace Botan::PKCS11 {
--- /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_rsa.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/prov/pkcs11/p11_rsa.cpp
@@ -12,10 +12,10 @@
#if defined(BOTAN_HAS_RSA)
+ #include <botan/p11_mechanism.h>
#include <botan/pubkey.h>
#include <botan/rng.h>
#include <botan/internal/blinding.h>
- #include <botan/p11_mechanism.h>
#include <botan/internal/pk_ops_impl.h>
namespace Botan::PKCS11 {
--- /home/runner/work/botan/botan/source/src/lib/pubkey/pubkey.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/pubkey/pubkey.cpp
@@ -11,8 +11,8 @@
#include <botan/der_enc.h>
#include <botan/mem_ops.h>
#include <botan/pk_ops.h>
+#include <botan/pss_params.h>
#include <botan/rng.h>
-#include <botan/pss_params.h>
#include <botan/internal/ct_utils.h>
#include <botan/internal/fmt.h>
#include <botan/internal/parsing.h>
--- /home/runner/work/botan/botan/source/src/lib/pubkey/rsa/rsa.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/pubkey/rsa/rsa.cpp
@@ -9,8 +9,8 @@
#include <botan/ber_dec.h>
#include <botan/der_enc.h>
+#include <botan/pss_params.h>
#include <botan/reducer.h>
-#include <botan/pss_params.h>
#include <botan/internal/blinding.h>
#include <botan/internal/divide.h>
#include <botan/internal/emsa.h>
--- /home/runner/work/botan/botan/source/src/lib/tls/tls_signature_scheme.cpp (original)
+++ /home/runner/work/botan/botan/source/src/lib/tls/tls_signature_scheme.cpp
@@ -11,9 +11,9 @@
#include <botan/ec_group.h>
#include <botan/hash.h>
#include <botan/hex.h>
+#include <botan/pss_params.h>
#include <botan/tls_exceptn.h>
#include <botan/tls_version.h>
-#include <botan/pss_params.h>
#include <botan/internal/stl_util.h>
namespace Botan::TLS {
d42bf5d
to
df7818c
Compare
@randombit changes are now applied. |
@randombit anything else I have to do to get your approval? |
df7818c
to
5747b7b
Compare
5747b7b
to
b632b18
Compare
9f8569b
to
81b47ff
Compare
After changing 2 TPM2 files the tests are now completed without any failures. I had not noticed before that these faults had anything to do with my changed - it was hard for me to find the lines that failed. Could you please consider to accept this PR now? |
81b47ff
to
46c5861
Compare
That's a good catch actually. I created a separate pull request (#4474) for it. This would otherwise fail when trying to build against TSS 4.1.0 or newer, because the order of initialization has to match the TSS headers. Once the linked pull request is merged, it would be nice if you could rebase once more. Thank you so much for your patience with this patch. |
This is done to make it possible to use none Botan private keys when signing certificates.
46c5861
to
1d9b549
Compare
I got my own library for pkcs#11 with classes for different kind of keys.
When signing certificates I have created my own
PKCS11_RSA_Signature_Operation
that implements yourPK_Ops::Signature
.This works fine but I had to make some of the Botan internal API public. The changes that I made is in this pull request.
The reason that I can not use your p11 private key class is that:
A better alternative than making part of Botan API public could be to define a callback interface with the key signing that I could implement. Then I could call botan directly with my private key class.
I would appreciate any help to solve my issue.
BR Lars