Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0
From: Neal Gompa
Date: Tue Aug 06 2024 - 16:27:15 EST
On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote:
> The ENGINE interface has its limitations and it has been superseded
> by the PROVIDER API, it is deprecated in OpenSSL version 3.0.
> Some distros have started removing it from header files.
>
> Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >=
> 3.
>
> Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2,
> openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM
> and PKCS11 and comparing that the result is identical.
>
> Jan Stancek (3):
> sign-file,extract-cert: move common SSL helper functions to a header
> sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
> sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
>
> MAINTAINERS | 1 +
> certs/Makefile | 2 +-
> certs/extract-cert.c | 138 +++++++++++++++++++++++--------------------
> scripts/sign-file.c | 134 +++++++++++++++++++++--------------------
> scripts/ssl-common.h | 32 ++++++++++
> 5 files changed, 178 insertions(+), 129 deletions(-)
> create mode 100644 scripts/ssl-common.h
The code looks fairly reasonable to me and behaves as expected.
I have been actively using this patch set for several weeks now across
linux-6.9.y and now linux-6.10.y with good success.
It is in use in production for Fedora Asahi Linux kernels with good success.
Thanks for the fixes. :)
Reviewed-by: Neal Gompa <neal@xxxxxxxxx>
--
真実はいつも一つ!/ Always, there's only one truth!