When a dst_key_t carries a PKCS#11 URI in key->label (as named
does for dnssec-policy zones backed by a key-store "hsm"), key
generation must happen inside the HSM, not in software.
opensslecdsa_generate already branches on key->label and calls
the matching pkcs11 wrapper; the EDDSA generator silently ignored
the label and produced a software key, which named then wrote to
the .private file with both a Label: line and the raw PrivateKey:
bytes -- a corrupt hybrid record that prevented zone signing.
Add the missing wrapper:
- lib/isc/ossl_wrap/ossl3.c gains generate_pkcs11_eddsa_key()
and the public isc_ossl_wrap_generate_pkcs11_ed25519_key() /
isc_ossl_wrap_generate_pkcs11_ed448_key() entry points. They
use EVP_PKEY_CTX_new_from_name(NULL, "ED25519" or "ED448",
"provider=pkcs11") with the pkcs11_uri and pkcs11_key_usage
parameters, mirroring the existing EC wrapper.
- lib/isc/ossl_wrap/ossl1_1.c provides stubs returning
ISC_R_NOTIMPLEMENTED for the new EDDSA wrappers; the
pkcs11-provider stack requires OpenSSL 3. The pre-existing
isc_ossl_wrap_generate_pkcs11_rsa_key() stub used to silently
delegate to software keygen -- that hid the same "HSM label
on a software key" hazard for RSA on OpenSSL 1.1 builds, so
align it with the EDDSA stubs and return ISC_R_NOTIMPLEMENTED
too.
- lib/isc/include/isc/ossl_wrap.h declares the new wrappers.
- lib/dns/openssleddsa_link.c routes openssleddsa_generate()
through the new wrappers when key->label is non-NULL, leaving
the existing EVP_PKEY_keygen() path untouched for software
keys. The Ed448 case is guarded by HAVE_OPENSSL_ED448 to
match the surrounding code.
Assisted-by: Claude:claude-opus-4-7
BN_num_bits() returns 0 when passed NULL and a negative value on
internal error. The OpenSSL wrappers stored the result in a size_t,
so a 0 return falsely satisfied the bit-length check and a negative
return wrapped to a huge value. Capture the int return, reject
non-positive values, then compare against the limit.
Using `EVP_SIGNATURE` explicit algoritms for signatures have been added
in OpenSSL 3.4 and so is skipped for the initial OpenSSL version
specific code splitting.
Using `EVP_SIGNATURE` explicit algoritms for signatures have been added
in OpenSSL 3.4 and so is skipped for the initial OpenSSL version
specific code splitting.
While being the best place at the time, the tlserr2result doesn't belong
inside TLS code since it is generic to OpenSSL and mostly used in the
dst interface. The newly created ossl_wrap interface is the idea place
for flushing the OpenSSL thread error queue.
