Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS operation with EdDSA keys #465

Merged
merged 3 commits into from
Nov 13, 2024
Merged

Support TLS operation with EdDSA keys #465

merged 3 commits into from
Nov 13, 2024

Conversation

Jakuje
Copy link
Contributor

@Jakuje Jakuje commented Nov 13, 2024
edited by simo5
Loading

Description

It turned out the import of EdDSA keys went through the ECDSA code paths which failed down the road. After fixing that, the TLS tests turned out to go into infinite recursion in softhsm where the softhsm operation would call back to the pkcs11 provider code making everything explode. The workaround is to use the propquery on the openssl tools cli, which looks like working ok.

Fixes #461.

Checklist

  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages
  • Coverity Scan has run if needed (code PR) and no new defects were found

@Jakuje Jakuje mentioned this pull request Nov 13, 2024
Closed
@Jakuje Jakuje force-pushed the tls-eddsa branch 2 times, most recently from 1a56cfd to 31d5aca Compare November 13, 2024 14:44
@Jakuje Jakuje marked this pull request as ready for review November 13, 2024 14:44
simo5
simo5 previously approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tests/ttls Outdated Show resolved Hide resolved
tests/ttls Show resolved Hide resolved
@simo5 simo5 added the covscan Triggers Coverity Scanner label Nov 13, 2024
@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Nov 13, 2024
@Jakuje
Fix importing EdDSA keys from OpenSSL
8c30a05 
Fixes: latchset#461

Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Test TLS with EdDSA and extend the ttls test
6a672bc 
The EdDSA signature verification causes infinite recursion in softhsm
when the OPENSSL_CONF is used to force all operations to token because
the SoftHSM Is using the EVP_PKEY API to implement the EdDSA signature
and verification which is recursively routed back to the
pkcs11-provider.

The workaround is to set the propquery on the openssl cli, which will
not propagate to the softhsm context.

Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
Extend the tlsfuzzer tests with the eddsa host key
7f7267b 
Signed-off-by: Jakub Jelen <[email protected]>
@simo5 simo5 added the covscan Triggers Coverity Scanner label Nov 13, 2024
@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Nov 13, 2024
@simo5
Copy link
Member

simo5 commented Nov 13, 2024

Everything looks good, merging, thanks a bunch!

@simo5 simo5 added the covscan-ok Coverity scan passed label Nov 13, 2024
@simo5 simo5 merged commit cff4036 into latchset:main Nov 13, 2024
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simo5 simo5 simo5 left review comments

Assignees
No one assigned
Labels
covscan-ok Coverity scan passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The TLS session with EdDSA host does not work
2 participants
@Jakuje @simo5