<div dir="ltr">Dear Max, <div><br></div><div>You can take a look at <a href="https://github.com/gost-engine/engine">https://github.com/gost-engine/engine</a> as an example of providing new algorithms via engine. </div><div><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 24, 2018 at 10:45 AM Dr. Pala <<a href="mailto:director@openca.org">director@openca.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi all,</p>
<p>I am working on providing a new Public Key method that will
handle Composite Keys (i.e., multiple keys with different algos -
e.g., one RSA and one EC) and Composite Signatures (i.e.,
multiple signatures generated with the corresponding Composite
Keys). In particular, I would like to be able to add a method that
will, in turn, call the methods supported by the different keys
that form the COMPOSITE_PKEY structure.<br>
</p>
<p>I have looked around how to do it and I am a bit confused about
how to proceed as there are some conflicting implementations for
different algorithms.</p>
<p>Here's some high-level questions related to the EVP_PKEY
interface, in particular:</p>
<ul>
<li><b>EVP_PKEY_ASN1_METHOD vs. EVP_PKEY_METHOD </b>- when these
two different types of methods are used? Shall both be
implemented?<br></li></ul></div></blockquote><div>The 1st one is for processing ASN1 structures and the 2nd is for crypto-operations.</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><ul><li>
<br>
</li>
<li><b>After providing the implementation for the ameth/pmeth, how
does the integration work with openssl?</b> In particular,
should I add them to the list of the default ameth/pmeth
supported? Here's some more specific questions:<br>
<br>
</li>
<ul>
<li>It seems there is an <b>app_method stack</b> of
EVP_PKEY_ASN1_METHOD - how do I add the method there (in case
I will use a user-level - i.e., not integrated into OpenSSL
code - approach by using the functions in the
crypto/asn1/ameth_lib.c file). Will the EVP_PKEY_asn1_add0()
function call be sufficient?<br>
<br>
</li>
<li>It seems there is an standard_methods stack of
EVP_PKEY_ASN1_METHOD - how do I add the method there if we
need to have a more tight integration with the core of the
library (in case we can not do our proof-of-concept without
touching the openssl's code / requiring a fork)<br></li></ul></ul></div></blockquote><div>See register_ameth/register_pmeth in GOST engine.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><ul><ul><li>
<br>
</li>
</ul>
<li><b>COMPOSITE_PKEY struct and COMPOSITE_PKEY_CTX struct.</b> I
noticed that, for example, both RSA and EC implement some form
of _CTX and _PKEY structures. Are these used only internally or
should they be implemented and integrated with the METHOD(s) ?<br></li></ul></div></blockquote><div>I suspect you need your own representation of key owning RSA and EC keys and manage themselves.</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><ul><li>
<br>
</li>
<li><b>Given the above is implemented correctly - will this enable
the use of the method for processing signatures with the new
(pseudo-)algorithm for different structures (e.g., CRLs, X509,
X509_REQ, OCSP_REQ, OCSP_RESP, etc.)</b> ? I see that there is
some sort of different usages that can be implemented in the
CTRL of the ameth (e.g., rsa_pkey_ctrl), however this seems to
be targeted to the following operations:<br>
<blockquote> ASN1_PKEY_CTRL_PKCS7_SIGN<br>
ASN1_PKEY_CTRL_PKCS7_ENCRYPT<br>
ASN1_PKEY_CTRL_CMS_SIGN<br>
ASN1_PKEY_CTRL_CMS_ENVELOPE<br>
ASN1_PKEY_CTRL_CMS_RI_TYPE<br>
ASN1_PKEY_CTRL_DEFAULT_MD_NID</blockquote>
</li>
<li>Last but not least, since the EVP_PKEY has a union that points
to the internal key (i.e., crypto/internal/evp_int.h -
evp_pkey_st) where, besides the rsa, dsa, dh, and ec pointers, a
void * ptr is defined. Shall I use that pointer to reference the
composite_pkey_st (at least for the user-space implementation) ?</li></ul></div></blockquote><div>Yes. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><ul>
</ul>
<p>Thanks for any help for understanding all these details... :D</p>
<p>Cheers,<br>
Max<br>
</p>
<div class="m_-3135837252754596687moz-signature">-- <br>
<div style="color:black;margin-top:10px"> Best Regards,
<div style="margin-top:5px;margin-left:0px"> Massimiliano
Pala, Ph.D.<br>
OpenCA Labs Director<br>
</div>
<img src="cid:part1.4AB991FC.41045963@openca.org" style="vertical-align:0px;margin-top:10px;margin-left:0px" alt="OpenCA Logo"><br>
</div>
</div>
</div>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">SY, Dmitry Belyavsky</div></div>