Skip to content

Comments

ossl: Allow passing propq to the key creation API#317

Merged
simo5 merged 2 commits intolatchset:mainfrom
Jakuje:propq
Aug 29, 2025
Merged

ossl: Allow passing propq to the key creation API#317
simo5 merged 2 commits intolatchset:mainfrom
Jakuje:propq

Conversation

@Jakuje
Copy link
Contributor

@Jakuje Jakuje commented Aug 26, 2025

Description

This change is motivated by the need to be able to use the ML-DSA and ed448 signature algorithms in FIPS mode. Currently, the fips provider in RHEL 10.1 does not have these implemented so it fails during import of the certificate (which consists of verification of binding signatures).

This extends the ossl API to be able to provide the optional propq to the key creation API (as a &Cstr -- if you wish, we could make it some special type, but this looked like the least pain to start with.

Checklist

  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@Jakuje
Copy link
Contributor Author

Jakuje commented Aug 26, 2025

There are remaining commits that are needed for Sequoia to work with these changes:

https://gitlab.com/jjelen/sequoia/-/commits/pqc-ossl?ref_type=heads

Tested end-to-end and confirmed this solves the issue https://issues.redhat.com/browse/RHEL-110994

@Jakuje
Copy link
Contributor Author

Jakuje commented Aug 27, 2025

Note, that this will need some adjustments if #316 will go first as it is using some of this API that I am changing.

@teythoon
Copy link
Contributor

I think the documentation of the constructor should mention what propq is, what it means, what it is used for, what possible values are, what one should do if one doesn't know what to pass in.

I guess propq is taken from the OpenSSL lingo, but it is just incomprehensible to me.

@Jakuje
Copy link
Contributor Author

Jakuje commented Aug 28, 2025

I think the documentation of the constructor should mention what propq is, what it means, what it is used for, what possible values are, what one should do if one doesn't know what to pass in.

I guess propq is taken from the OpenSSL lingo, but it is just incomprehensible to me.

Good point! I will try to add it. From the PR I think its clear it maps to the parameter of the same name of the underlying functions. There is some writing about what properties in openssl are, but for general use, people should not need to mess with that:

https://docs.openssl.org/3.5/man7/property/

Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big fan of exposing propq, but I cannot think of any better way right now, hopefully we won't have to break the API in future if we can think of a better abstraction to deal with this.

@simo5 simo5 merged commit f14277c into latchset:main Aug 29, 2025
49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants