Normal What were you trying to do that didn't work?
Use 3rd party HSM provider for private keys with the OpenSSL 3.0.7
Please provide the package NVR for which bug is seen:
openssl-3.0.7-25
How reproducible:
always
Steps to reproduce
- openssl s_server -cert APemFile -key pkcs11:type=private;object=APrivateKey
- use libsofthsm2.so as HSM and pkcs11-provider as 3rd party provider
Expected results
s_server willl load
Actual results
s_server fails to load: the public key from the cert is passed to pkcs11-provider to verify consistency with the private key. Ths export is compressed by the metadata claims uncompressed to the 3rd party provider receives a corrupt data stream.
This is fixed in 3.0.8
- Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` for legacy EC and SM2 keys is also changed similarly to honor the equivalent conversion format flag as specified in the underlying `EC_KEY` object being exported to a provider, when this function is called through `EVP_PKEY_export()`.r
- relates to
-
RHEL-26271 Rebasing OpenSSL to 3.2.x
-
- Integration
-
