-
|
What is the change between libcrypto 3.0.2 and libcrypto 3.0.5 that affects the library that requires minimum 3.0.5? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
There is a change in the store loader that landed in 3.0.5 tat is required to properly select the provider the key came from. Without this change OpenSSL always tries to export keys from the origin provider and re-import them in the default provider. This obviously fails for private keys in pkcs11 tokens. Technically in 3.0.2 this can be worked around by always passing the property "provider=pkcs11" in every function call, but that requires changing applications. Bottom line the best way to handle this is to require 3.0.5+ |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, |
Beta Was this translation helpful? Give feedback.
-
|
I think the default, or at least the base provider are required to do encoding/decoding stuff. The pkcs11-provider alone does not provide the several hundred encoding/decoding routines available in the base provider that do not require direct access to private key material. |
Beta Was this translation helpful? Give feedback.
There is a change in the store loader that landed in 3.0.5 tat is required to properly select the provider the key came from.
Without this change OpenSSL always tries to export keys from the origin provider and re-import them in the default provider.
This obviously fails for private keys in pkcs11 tokens.
Technically in 3.0.2 this can be worked around by always passing the property "provider=pkcs11" in every function call, but that requires changing applications.
Or by only configuring the base and pkcs11 provider in openssl.cnf and removing the default provider, but that is not nice as then all functions not implemented in the pkcs11 provider are unavailable.
Bottom line the best way to …