OpenSSL ENGINE support

[krwq]

Fixes: #55356

Allows using ENGINE with OpenSSL, for example to use TPM ECDSA key using tpm2tss engine:

// 0x81000007 - needs to be created first - see osslplugins/README.md how to get it
using SafeEvpPKeyHandle priKeyHandle = SafeEvpPKeyHandle.OpenPrivateKeyFromEngine("tpm2tss", "0x81000007");
using ECDsa ecdsaPri = new ECDsaOpenSsl(priKeyHandle);
// do stuff with ecdsaPri

Tests are manual and can be enabled with environmental variable. See osslplugins/README.md for more information on how to do it.

Note: Providers are cut from the proposal.

This code is based on @bartonjs's work https://github.com/bartonjs/runtime/blob/open_named_keys/ - it extends tests and make it react to environmental variable, ENGINE implementation is simplified and testing instructions document is added with how to run tests and what's required to set it up.

[dotnet-issue-labeler]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[ghost]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes: #55356

Allows using ENGINE with OpenSSL, for example to use TPM ECDSA key using tpm2tss engine:

// 0x81000007 - needs to be created first - see osslplugins/README.md how to get it
using SafeEvpPKeyHandle priKeyHandle = SafeEvpPKeyHandle.OpenPrivateKeyFromEngine("tpm2tss", "0x81000007");
using ECDsa ecdsaPri = new ECDsaOpenSsl(priKeyHandle);
// do stuff with ecdsaPri

Tests are manual and can be enabled with environmental variable. See osslplugins/README.md for more information on how to do it.

Note: Providers are cut from the proposal.

This code is based on @bartonjs's work https://github.com/bartonjs/runtime/blob/open_named_keys/ - it extends tests, ENGINE implementation is simplified and testing instructions document is added with how to run tests and what's required to set it up.

Author:	krwq
Assignees:	-
Labels:	area-System.Security, new-api-needs-documentation
Milestone:	-

[bartonjs]

I sincerely believe that this should be deferred to vNext. Since ENGINEs are deprecated, ENGINE support shouldn't be added without Provider support, and it sounds like you're deferring Providers.

[CIPop]

I have a concern regarding lifetimes of the structural and functional references for the engine.
In my interpretation, these need to be kept alive for the duration of the key handle (e.g. in case SslStream decides to use the private key in a TLS handshake).

[CIPop]

Note: I've never been able to store/load a public key in an engine before. Usually, with both TPM and PKCS#11 (via SoftHSM) the public keys were embedded in the X.509 certificate. That said, this could be allowed by some engines.

[krwq]

Fair point but as @bartonjs has already responded:#55356 (comment) "it's a low enough incremental cost that it doesn't hurt." which I fully agree

[CIPop]

This could help setting up an e2e test:

Running in this container: https://github.com/Azure/azure-iot-sdk-c/blob/main/jenkins/openssl-engine/Dockerfile
Script to prepare the HSM simulator: https://github.com/Azure/azure-iot-sdk-c/blob/main/jenkins/linux_openssl_engine.sh

[krwq]

Thanks, I will leave this out of scope of this PR and investigate this separately (or create issue depends on time).

[CIPop]

My concerns regarding object lifetime were addressed in openssl/openssl#21427

[bartonjs]

While I generally do something like this during development, I don't know that we've checked in "I fail to prove the tests ran" tests before.

[bartonjs]

Since it's referenced in the instructions as how to verify manual test setup is working, I guess it makes sense.

[krwq]

I found it useful when doing manual testing. Green on the first try always makes me a bit nervous for these kinds of tests. With this I can immediately exclude wrong env name or other external factors causing me to have green tests by accident

[bartonjs]

When I was doing development on this, the public key named "first" and the private key named "first" didn't match (not that you necessarily could have seen that since I wrote it to load keys from files that I didn't check in). It looks like you've changed that here so that they're the same.

I thought it was valuable that they were mismatched, to show that the public/private namespace mattered.

Whether they're the same (as-is) or different (because you change it up), add a comment saying what their relationship is.

[krwq]

added a comment. I intentionally called the same to ensure we don't accidentally load the wrong one when same name is used

[krwq]

This is rebase only (trying to get CI to be green since I'm seeing lots of unrelated failures)