<div dir="ltr"><div dir="ltr">Dear Tobi, </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 22, 2019 at 12:27 PM <<a href="mailto:Tobias.Wolf@t-systems.com">Tobias.Wolf@t-systems.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="DE">
<div class="gmail-m_-2100855194730027446WordSection1">
<p class="MsoNormal">Hi everbody,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">I`m looking for a working example on how to implements a custom engine based on EVP methods callbacks. First I was implementing my custom engine based on RSA callbacks, but we found out that we cannot use this mechanism,
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">therefore I need to change to EVP, details are written here
</span><a href="https://github.com/openssl/openssl/issues/7968" target="_blank"><span lang="EN-US">https://github.com/openssl/openssl/issues/7968</span></a><span lang="EN-US">.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> RSA_METHOD* rsa_method = RSA_meth_new("OpenSSL Custom RSA method", 0);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> const RSA_METHOD* ossl_rsa_meth = RSA_PKCS1_OpenSSL();<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> rc = RSA_meth_set_priv_enc(rsa_method, gk_openssl_rsa_priv_enc);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> rc = ENGINE_set_RSA(e, rsa_method);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> if (rc != TRUE) {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> return 0;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> if (flags & ENGINE_METHOD_RSA) {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> rc = ENGINE_register_RSA(e);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> if (rc != TRUE) {<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> return 0;<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> }<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Now I try with EVP the following source code but it’s not working:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(43,145,175)">EVP_PKEY_METHOD</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">* engine_pkey_methods = EVP_PKEY_meth_new(</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(111,0,138)">EVP_PKEY_RSA_PSS</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">,
0);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:blue">const</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">
</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(43,145,175)">EVP_PKEY_METHOD</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">* ossl_pkey_methods = EVP_PKEY_meth_find(</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(111,0,138)">EVP_PKEY_RSA_PSS</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">EVP_PKEY_meth_copy(engine_pkey_methods, ossl_pkey_methods);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:blue">// This shall be an equivalent to
</span><span lang="EN-US">= RSA_PKCS1_OpenSSL();<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:blue">const</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">
</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(43,145,175)">EVP_PKEY_METHOD</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">* ossl_pkey_methods = EVP_PKEY_meth_find(</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(111,0,138)">EVP_PKEY_RSA_PSS</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">But how to set the evp method the engine like
</span><span lang="EN-US" style="font-size:10pt;font-family:Consolas;color:black;background:rgb(216,216,216)">RSA(e, rsa_method);</span><span lang="EN-US">?</span><span lang="EN-US" style="font-size:10pt;font-family:Consolas"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">This expects another callback, but I just want to set the method?!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:blue">int</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black"> ENGINE_set_pkey_meths(</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(43,145,175)">ENGINE</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">
*</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:gray">e</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">,
</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:rgb(43,145,175)">ENGINE_PKEY_METHS_PTR</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">
</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:gray">f</span><span lang="EN-US" style="font-size:9.5pt;font-family:Consolas;color:black">);<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> </span></p></div></div></blockquote><div><br></div><div>I strongly suppose that you can't mix EVP_PKEY_METHOD and RSA_METHOD, but you should wrap the RSA_METHOD callbacks in the EVP_PKEY callbacks.</div><div>I suggest you look at the <a href="https://github.com/gost-engine/engine">https://github.com/gost-engine/engine</a> as an example of providing the EVP operations via the engine.</div><div><br></div><div>I also have an example of providing custom RSA_METHOD somewhere but it was designed to work with 1.0 and may be incompatible with the 1.1.* because of using the internal structures.</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature">SY, Dmitry Belyavsky</div></div>