Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace EC_KEY* with EVP_PKEY* #2724

Open
dlansky1 opened this issue Jun 10, 2024 · 7 comments
Open

Replace EC_KEY* with EVP_PKEY* #2724

dlansky1 opened this issue Jun 10, 2024 · 7 comments
Assignees
@dlansky1
Labels
enhancement New feature or request

Comments

@dlansky1
Copy link

Hi,

As part of "Move low-level crypto API away for OpenSSL 3.0" (see #1094) it looks like EC_KEY* conversion was missed out.
Is it possible to convert EC_KEY* to new API, i.e. EVP_PKEY* ?
See also #1111.

Thanks,
@steven-bellock steven-bellock added the enhancement New feature or request label Jun 10, 2024
@steven-bellock
Copy link
Contributor

For rationale see https://www.openssl.org/docs/man3.0/man7/migration_guide.html and

Use of the low level APIs has been informally discouraged by the OpenSSL development team for a long time. However in OpenSSL 3.0 this is made more formal. All such low level APIs have been deprecated. You may still use them in your applications, but you may start to see deprecation warnings during compilation (dependent on compiler support for this). Deprecated APIs may be removed from future versions of OpenSSL so you are strongly encouraged to update your code to use the high level APIs instead.

@steven-bellock
Copy link
Contributor

@liyi77 is this something you can pick up again?

@liyi77
Copy link
Contributor

liyi77 commented Jun 11, 2024

I did do some attempt on this: [ec] liyi77@0f536df
[rsa] liyi77@bccc4b1
[hmac] liyi77@f432f40

This should be a broader issue instead of just ec: The current crypto implementation uses many 3.0 deprecated APIs, such as in hash hmac rsa ec..
Unfortunately I found some issues such as:
The new RSA API does not support configuring all RSA params,
The new Hmac API cannot fully replicate the hmac context.
This is just a draft so there may be more issues.

The openssl community has confirmed that they don't have plan to delete these deprecated APIs before openssl 4, so we can continue to use them until EOL(Version 3.0 will be supported until 2026-09-07).

@dlansky1
Copy link
Author

When using the deprecated APIs (for EC atleast), some openssl features cannot be used. Specifically, only default provider can be used.
Please consider this when deciding whether to move away from the deprecated APIs.

@liyi77
Copy link
Contributor

liyi77 commented Jun 11, 2024

I am curious about what ec features cannot be used, can you give me an example?

For this issue, feel free assign to me once it get confirmed.

@dlansky1
Copy link
Author

The new API allows using openssl providers, see here:
https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md

@steven-bellock
Copy link
Contributor

@dlansky1 if you have a need for this feel free to submit a pull request. This is desirable but we are focused on the SPDM 1.3 implementation at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dlansky1 dlansky1

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@steven-bellock @liyi77 @dlansky1