Question on porting custom ENGINE to provider (OpenSSL v3.0.10)
Tomas Mraz
tomas at openssl.org
Mon Nov 20 07:39:41 UTC 2023
There must be some things done in your provider and in the application
(or OpenSSL configuration) to make this work seamlessly.
1. The provider must properly fail attempts to export the private key.
I.e., it must never export a public key when it is asked to export a
full keypair.
2. The default property query must deprioritize your provider.
I.e., "?provider!=yourprovider"
3. When your application wants to use the key from your provider it
needs to load it via a store uri.
With this above everything should work correctly.
Tomas Mraz, OpenSSL
On Fri, 2023-11-17 at 09:14 +0100, Timo Herbrecher wrote:
> Oh I forgot to mention how I load my provider... I'm using
> OSSL_PROVIDER_try_load(ctx, "/usr/lib/libcustom_key_provider.so", 1).
> So
> as far as I understand the default provider should be available in
> general.
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list