Generate PKEYs using EVP_PKEY_Q_keygen #229
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qmuntal
requested review from
ueno,
karianna,
derekparker,
dagood,
mertakman and
gdams
mertakman
approved these changes
Dec 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OpenSSL supports one-shot PKEY generation using EVP_PKEY_Q_keygen.
Using this function from Go is a bit complicated because it has a variadic parameter, which is not directly supported by cgo (see golang/go#975). I've instead defined the new
DEFINEFUNC_VARIADIC_3_0macro that allows wrapping the same OpenSSL function multiple times with different numbers of arguments.The code is now a bit more complex, but we shaved some cgo calls and also removed some EVP_PKEY_CTX_ctrl calls from this code path. This last bit is important because
EVP_PKEY_CTX_ctrlis not recommended to be directly used in OpenSSL 3 (see quote below from docs), and I'm on a small quest to remove all direct calls to it from our codebase.