ossl: Allow passing propq to the key creation API#317
Conversation
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
There are remaining commits that are needed for Sequoia to work with these changes: https://gitlab.com/jjelen/sequoia/-/commits/pqc-ossl?ref_type=heads Tested end-to-end and confirmed this solves the issue https://issues.redhat.com/browse/RHEL-110994 |
|
Note, that this will need some adjustments if #316 will go first as it is using some of this API that I am changing. |
|
I think the documentation of the constructor should mention what I guess |
Good point! I will try to add it. From the PR I think its clear it maps to the parameter of the same name of the underlying functions. There is some writing about what properties in openssl are, but for general use, people should not need to mess with that: |
simo5
left a comment
simo5
left a comment
There was a problem hiding this comment.
Not a big fan of exposing propq, but I cannot think of any better way right now, hopefully we won't have to break the API in future if we can think of a better abstraction to deal with this.
3 participants
Description
This change is motivated by the need to be able to use the ML-DSA and ed448 signature algorithms in FIPS mode. Currently, the fips provider in RHEL 10.1 does not have these implemented so it fails during import of the certificate (which consists of verification of binding signatures).
This extends the ossl API to be able to provide the optional
propqto the key creation API (as a&Cstr-- if you wish, we could make it some special type, but this looked like the least pain to start with.Checklist
Reviewer's checklist: