openssl asym_cipher/signature provider

Matt Caswell matt at openssl.org
Mon Dec 14 16:26:20 UTC 2020



On 14/12/2020 16:04, Thulasi Goriparthi wrote:
> Hello,
> 
> Is it acceptable for an openssl provider to implement an algorithm
> (rsaEncryption) as asym_cipher or signature algorithm without
> implementing corresponding keymgmt or redirecting the same to the
> 'default' provider?
> 
> I ask, as our engine implementation handles key import dynamically at
> time of offloading crypto operation, using ex_data of key objects. I
> want to quickly upgrade this to a provider to convince myself that the
> basic upgrade from engine to provider isn't time consuming.

One of the main purposes of the key manager is to import the key into
the provider into a form that it can use internally. The
asym_cipher/signature implementations just use references to keys
created by the key manager.

So unfortunately it is necessary to have a key manager in order for a
provider to have a usable asym_cipher or signature implementation.

Note: it does not have to be a fully featured key manager, e.g. it does
not need to implement key generation. It would be perfectly possible to
have key generation done in some other key manager and then subsequently
import it into the target key manager.

Matt



More information about the openssl-users mailing list