[Softhsm-develop] AES wrap_key_with_pad & OpenSSL master branch

Petr Spacek pspacek at redhat.com
Fri Oct 3 15:04:55 UTC 2014

On 21.8.2014 11:23, Jakob Schlyter wrote:
> On 20 aug 2014, at 10:32, Petr Spacek <pspacek at redhat.com> wrote:
>> Unfortunately I have had to re-write the original patch [1] to make it acceptable and the final API is not compatible with API from the original patch. (Now the key wrap mode is part of EVP API.)
>> I would like to send patches for SoftHSM with support for the 'official' OpenSSL API so AES key wrap with padding will be usable on systems even without custom OpenSSL build.
>> Can I remove the unofficial API and replace it with the official one? Or is it necessary to keep support the unofficial API around?
> Since we've not yet released SoftHSM 2.0, I believe we can replace it.

Great, patch https://github.com/opendnssec/SoftHSMv2/pull/91 does exactly that.

The old/proprietary interface was completely replaced with "standard" OpenSSL 
EVP interface (I didn't touch code for Botan).

I didn't change anything on encryption/wrapping method separation but 
technically for now.

In future, it should be possible to implement SymmetricAlgorithm::wrapKey() as 
a wrapper around SymmetricAlgorithm::encryptInit/Update/Final() in similar way 
as it is done with AsymmetricAlgorithm::wrapKey().

I didn't do it because it would require bigger changes to internal 
SymmetricAlgorithm structure so it can be let as possible optimization.

I'm looking forward to code review!

Have a nice day.

Petr Spacek  @  Red Hat

More information about the Softhsm-develop mailing list