<div dir="ltr">FYI:<br><br><div>If you provide an genrsa implementation in your engine that doesn't include the private parameters, even if it's marked with RSA_FLAG_EXT_PKEY, the openssl executable will not handle it correctly.</div><div><br></div><div>That's because genrsa_main assumes that the object that comes back is an rsa private key. So it will attempt to save a PEM encoded RSA private key even though it doesn't have the private key fields and openssl won't be able to open the saved file.</div><div><br></div><div>So, if you want to enable use of the openssl executable with genrsa being supported by your engine, you will actually need to modify apps/genrsa.c So that genrsa_main does:</div><div><br></div><div>
<span></span>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">if (RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) == RSA_FLAG_EXT_PKEY) {</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>if (! PEM_write_bio_RSA_PUBKEY(out, rsa))</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>goto end;</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">}</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">else {</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>(pem_password_cb *)password_callback,</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>&cb_data))</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>goto end;</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">}</p>
<div><br></div>instead of:</div><div><br></div><div>
<span></span>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>(pem_password_cb *)password_callback,</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>&cb_data))</p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><span class="gmail-Apple-converted-space"> </span>goto end;</p>
<div><br></div>And then it will save the key you generated in public key pem format. which will allow openssl to read it.</div><div><br></div><div>One thing to note:</div><div><br></div><div>None of the open source engines I checked (neither the PCKS11 engine, the NCipher engine, nor the CAPI engine) implement the genrsa hook. If you are looking for wide compatibility you may wish to ask your clients to do key generation using an external utility (as that's how almost everyone else does it). </div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 13, 2018 at 5:28 PM, William Roberts <span dir="ltr"><<a href="mailto:bill.c.roberts@gmail.com" target="_blank">bill.c.roberts@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Fri, Apr 13, 2018 at 2:55 PM, Richard Levitte <<a href="mailto:levitte@openssl.org">levitte@openssl.org</a>> wrote:<br>
> In message <CAFftDdqWPXq1+Mo9_<wbr>6J0EzhZ4uwg5QC=R5fx8N1j=<a href="mailto:QYchA8%2BYQ@mail.gmail.com">QYchA8<wbr>+YQ@mail.gmail.com</a>> on Fri, 13 Apr 2018 09:17:28 -0700, William Roberts <<a href="mailto:bill.c.roberts@gmail.com">bill.c.roberts@gmail.com</a>> said:<br>
><br>
> bill.c.roberts> I am currently working on writing an openssl engine<br>
> bill.c.roberts> to interface with a piece of hardware.<br>
> bill.c.roberts><br>
> bill.c.roberts> I am trying to understand how to implement<br>
> bill.c.roberts> rsa key generation, where the private key<br>
> bill.c.roberts> bytes would not be available.<br>
> bill.c.roberts><br>
> bill.c.roberts> I am currently invoking the<br>
> bill.c.roberts> command:<br>
> bill.c.roberts><br>
> bill.c.roberts> openssl genrsa -engine foo<br>
> bill.c.roberts><br>
> bill.c.roberts> Which is calling my callback for RSA keygen, registered via ENGINE_set_RSA()<br>
> bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY.<br>
> bill.c.roberts><br>
> bill.c.roberts> However, genrsa app seems to want rsa->e set here:<br>
> bill.c.roberts> <a href="https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291" rel="noreferrer" target="_blank">https://github.com/openssl/<wbr>openssl/blob/OpenSSL_1_0_2g/<wbr>apps/genrsa.c#L291</a><br>
> bill.c.roberts><br>
> bill.c.roberts> I can't find documentation on how to handle the keygen interface<br>
> bill.c.roberts> for RSA.<br>
> bill.c.roberts><br>
> bill.c.roberts> Can someone point me in the right direction?<br>
><br>
> e and n are public components of any RSA key pair (and RSA structure<br>
> in OpenSSL). You *must* make them available. The rest of the numbers<br>
> are private and do not need to be part of the RSA structure that<br>
> OpenSSL handles.<br>
<br>
</div></div>Thanks. I went and read the RSA page on Wikipedia, and sure enough it<br>
has what common meanings of what all the single letter variables<br>
are in the RSA struct.<br>
<a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/<wbr>RSA_(cryptosystem)</a><br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> Cheers,<br>
> Richard<br>
><br>
> --<br>
> Richard Levitte <a href="mailto:levitte@openssl.org">levitte@openssl.org</a><br>
> OpenSSL Project <a href="http://www.openssl.org/~levitte/" rel="noreferrer" target="_blank">http://www.openssl.org/~<wbr>levitte/</a><br>
> --<br>
> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div></div>