OpenSSL 1.1 support
Brought to you by:
chris2511
Menu
▾
▴
1 Attachments
#21 OpenSSL 1.1 support
Hi Christian,
The attached patch introduces openssl 1.1 support in xca.
- It compiles with openssl 1.0 and 1.1.
- It runs as before with openssl 1.0.
- With openssl 1.1, pkcs11 is not operational: there is no easy way to set an EVP_PKEY engine with the new API (and I have no token to test with). pkcs11.cpp should therefore be reworked.
- Finally, it requires a serious review, although I already performed a lot of tests.
The patch also removes gcc7 new warnings.
Please answer here or via a sf message, since my e-mail address has changed.
Please also note that I tried to join you by e-mail, but your SMTP server is down.
Cheers,
Patrick
This new version of the patch implements pkcs11 signing as follows:
- openssl < 1.0.0: rsa & dsa without engine
- openssl 1.0.x: rsa, dsa & ec with engine
- openssl >= 1.1.0: rsa, dsa & ec without engine
In the operation, we therefore also gain implementation of dsa signing for openssl < 1.0.0 (ec disabled because EC_KEY_METHOD was not yet invented!).
I've given up trying to use a PKEY_ENGINE with openssl 1.1: seems not possible anymore.
I've succeeded compiling the patched xca with openssl 0.9.8n, 1.0.2j and 1.1.0e.
I've successfully tested pkcs11 signing using softhsm with openssl 1.0.2j and 1.1.0e.
Thanks for considering it.
Integrated and amended.
Can't stress this too much: Thanks Patrick :-)