[openssl-users] Missing EVP_PKEY method to set engine?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Fri Sep 29 17:16:19 UTC 2017 

Apologies in advance for cross-posting – but I’m not sure which of the two mailing lists this belongs to.

 

A key (say, private key) is loaded from the pkcs11 engine via privkey = ENGINE_load_private_key(engine, <whatever else>); and this operation succeeds.

 

However the resulting key handle has its engine == NULL. I looked for a method or a macro to explicitly set that value to the pointer to the engine that this key is bound to, but couldn’t find any. I define new methods such as pkcs11_pkey_rsa_decrypt(), and  try to make OpenSSL aware of them via:

   

        EVP_PKEY_METHOD *orig_pmeth = EVP_PKEY_meth_find(EVP_PKEY_RSA);

   EVP_PKEY_METHOD *pmeth = EVP_PKEY_meth_new(EVP_PKEY_RSA, EVP_PKEY_FLAG_AUTOARGLEN);

   EVP_PKEY_meth_copy(pmeth, orig_pmeth);

 

   EVP_PKEY_meth_get_decrypt(orig_pmeth, &pdecr_init, &pdecr);

   EVP_PKEY_meth_set_decrypt(pmeth, pdecr_init, pkcs11_pkey_rsa_decrypt);

  

And then there’s a function PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmethods, const int **nids, int nid) that assigns the above pmeth to *pmethods.  

 

Is the above correct/sufficient? Somehow it seems to never invoke pkcs11_pkey_rsa_decrypt()  when it should be used.

 

How can one set the EVP_PKEY->engine field in 1.1+?

 

In ENGINE_set_pkey_meths(engine, pkey_meths) what should pkey_meths() actually be? Is it documented? 

 

When does libcrypto use ENGINE->pkey_meths methods instead of  ENGINE->rsa_meth?  

 

Who/what entity is supposed to invoke ENGINE->pkey_meths to retrieve the RSA methods block? 

 

Is it normal if on a key (EVP_PKEY *) loaded by an engine, engine ptr is NULL? And if not – who/how should set those pointers to the correct value?

--

Regards,

Uri Blumenthal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170929/488c0767/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170929/488c0767/attachment-0001.bin>

More information about the openssl-users mailing list