Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-try loading ENGINE keys with a non-NULL UI_METHOD #109706

Merged
merged 2 commits into from
Nov 13, 2024

Conversation

vcsjones
Copy link
Member

When loading a key from an OpenSSL engine, the ENGINE_load_private_key or ENGINE_load_public_key function is used, depending on the key. These functions accept a parameter called ui_method that an ENGINE can use if loading the key requires user interaction, such as a passphrase.

Currently, we pass NULL in to the ui_method parameter since we expect this functionality to be used from non-interactive scenarios.

OpenSSL also passes this parameter as-is to the engine. It does not do a NULL check.

Some engines, like tpm2tss, do not permit a NULL UI_METHOD and immediately error.

This change attempts to accommodate those engines by re-trying the key load with a UI_METHOD that does nothing. This is functionally equivalent to UI_null() from OpenSSL.

We do not try a non-NULL UI first to maintain as much compatibility as possible. .NET has always passed NULL to engines thus far, and an engine can do with that as they want - like falling back to their own UI, using OpenSSL's default, etc. If we unconditionally pass our UI_METHOD, that might break another engine that was happily doing the right thing with NULL.

Contributes to #109243

Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones merged commit 22b3c90 into dotnet:main Nov 13, 2024
96 checks passed
@vcsjones vcsjones deleted the ossl-engine-ui-nonnull-main branch November 13, 2024 15:50
@vcsjones
Copy link
Member Author

/backport to release/8.0-staging

Copy link
Contributor

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/11820846271

@vcsjones
Copy link
Member Author

/backport to release/9.0-staging

Copy link
Contributor

Started backporting to release/9.0-staging: https://github.com/dotnet/runtime/actions/runs/11820930729

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants