-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL providers support #104961
OpenSSL providers support #104961
Conversation
Note regarding the
|
1 similar comment
This comment was marked as duplicate.
This comment was marked as duplicate.
src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPkeyCtxHandle.Unix.cs
Outdated
Show resolved
Hide resolved
...s/System.Security.Cryptography/src/System/Security/Cryptography/SafeEvpPKeyHandle.OpenSsl.cs
Outdated
Show resolved
Hide resolved
...s/System.Security.Cryptography/src/System/Security/Cryptography/SafeEvpPKeyHandle.OpenSsl.cs
Outdated
Show resolved
Hide resolved
...s/System.Security.Cryptography/src/System/Security/Cryptography/SafeEvpPKeyHandle.OpenSsl.cs
Outdated
Show resolved
Hide resolved
...s/System.Security.Cryptography/src/System/Security/Cryptography/SafeEvpPKeyHandle.OpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSAOpenSsl.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs
Outdated
Show resolved
Hide resolved
public override ECParameters ExportParameters(bool includePrivateParameters) | ||
{ | ||
ThrowIfDisposed(); | ||
return ECOpenSsl.ExportParameters(_key.Value, includePrivateParameters); | ||
|
||
using (SafeEcKeyHandle ecKey = Interop.Crypto.EvpPkeyGetEcKey(_key.Value)) | ||
{ | ||
return ECOpenSsl.ExportParameters(ecKey, includePrivateParameters); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really chatty at the P/Invoke boundary. I'd expect us to never talk about EC_KEY*
anymore except for the ECDsaOpenSsl(IntPtr)
ctor (and the same for ECDH), and we just update the shim library to do what we used to do for EC_KEY but with EVP_PKEY.
The way this is written:
- Fetch _key.Value to $key
- $key.DangerousAddRef();
- $eckey = new SafeEcKeyHandle();
- P/invoke, $tmp = CryptoNative_EvpPkeyGetEcKey($key.handle);
- $eckey.handle = $tmp;
- $key.DangerousRelease();
- $eckey.DangerousAddRef();
- // export parameters
- $eckey.DangerousRelease();
- $eckey.Dispose(); => another P/Invoke
If the shim is adjusted, it is instead just
- Fetch _key.Value to $key
- $key.DangerousAddRef();
- // export parameters
- $key.DangerousRelease();
All work we already had to do, but with fewer intermediate finalizable objects, and fewer P/invoke crossings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree this would be ideal but unless I'm missing something that doesn't look particularly straight forward and there don't seem to be much perf benefit from this since it's not in the hot path anywhere. I'd imagine we want to get rid of all old APIs usages because we want to get rid of OpenSSL 1.x support eventually? I'll open the work item for this unless it's easier than it looks. I assume you mean to use these new APIs: https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_get_params.html ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My meta-point is that if we're working in terms of EVP_PKEY, then we want our ExportParameters API to be based on EVP_PKEY rather than EC_KEY.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened: #105173 to track this work
src/libraries/Common/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPkeyCtxHandle.Unix.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/System/Security/Cryptography/ECDsaOpenSsl.cs
Outdated
Show resolved
Hide resolved
pkeyHandle.Dispose(); | ||
throw; | ||
} | ||
return Interop.Crypto.CreateEvpPkeyFromEcKey(currentKey); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this type still based on EC_KEY instead of moving it to EVP_PKEY?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't realize it was possible because samples I found first get EC_KEY from them EVP_PKEY which we already had working. I'll refrain from this change in this PR but will create a workitem to follow up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tacked by #105173
...ibraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.Ecdh.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs
Outdated
Show resolved
Hide resolved
(I rebased because it didn't let me merge) |
All failures seem unrelated and match issues pointed by build analysis. |
The performance improvements detected in dotnet/perf-autofiling-issues#38713, dotnet/perf-autofiling-issues#38763, and dotnet/perf-autofiling-issues#38910 were unexpected outcomes of the changes made here. @bartonjs analyzed this correlation and arrived at the following conclusion. This PR included a small change to This change seems acceptable and innocuous, but we will document it as a potential breaking change nonetheless. The performance difference could have been affected by this change, but if so it's probably largely by removing a call to ERR_clear_error() from DuplicateHandle as a consequence of the restructuring above. |
Fixes: #89167
Add support for OpenSSL providers.
Note that some underlying changes had to be done to allow this support. That include
DSA is not supported - it would need similar changes to ECDsa but it's unlikely to be needed by anyone these days.
Usage example: