Skip to content

introduce CMP_RAT_CTX to hold OSSL_CMP_CTX, impl RATs#122

Open
Akretsch wants to merge 1 commit into
siemens:masterfrom
Akretsch:AK_RAT_CTX_ONLY
Open

introduce CMP_RAT_CTX to hold OSSL_CMP_CTX, impl RATs#122
Akretsch wants to merge 1 commit into
siemens:masterfrom
Akretsch:AK_RAT_CTX_ONLY

Conversation

@Akretsch

Copy link
Copy Markdown
Collaborator

Motivation

see #121 , but with less modifications as proposed by @rajeev-0

@Akretsch Akretsch requested review from DDvO and rajeev-0 May 21, 2026 11:00
@Akretsch Akretsch changed the title introduce CMP_CTX to hold OSSL_CMP_CTX, impl RATs introduce CMP_RAT_CTX to hold OSSL_CMP_CTX, impl RATs May 21, 2026

@DDvO DDvO left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please avoid extending OSSL_CMP_CTX,
as this should not be needed at all -
please keep all RAT-related data local in cmpClient().

There are various memory leaks, at least in error cases.

See also further comments in #121 (review)

@Guiliano99

Copy link
Copy Markdown

@DDvO Hi, would it not be better to think about some sort of RAT-Provider, which allow some easier integration, of atg or some TPM2 logic, so just let the nonce and some optional parameters parsed to it. Which is parsed, base on some provider key=value options.

@DDvO

DDvO commented Jul 8, 2026

Copy link
Copy Markdown
Member

@DDvO Hi, would it not be better to think about some sort of RAT-Provider,

I am not sure if I fully understood what you mean,
but please note that this addition to support remote attestation is not something that can be seen as an OpenSSL crypto provider. The provider API only covers basic crypto(-related) functionality such as signing, encryption and/or random number generation.

@DDvO

DDvO commented Jul 8, 2026

Copy link
Copy Markdown
Member

BTW, @rajeev-0 who takes care of the review comments I gave here and in #121?

In particular, to avoid needless clutter at many unrelated places,
the code should not introduce its own CMP_RAT_CTX - this is simply not needed.

@Guiliano99

Guiliano99 commented Jul 8, 2026

Copy link
Copy Markdown

@DDvO Hi, would it not be better to think about some sort of RAT-Provider,

I am not sure if I fully understood what you mean, but please note that this addition to support remote attestation is not something that can be seen as an OpenSSL crypto provider. The provider API only covers basic crypto(-related) functionality such as signing, encryption and/or random number generation.

I was thinking about some new mechanism, to add different remote attestation logic in a shared interface, and Provider, was just a temporary name. And since you have a lot of experience with OpenSSL, I was curious about your ideas or solutions to add such a new feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants