[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Dr. Stephen Henson
steve at openssl.org
Thu Dec 10 21:56:57 UTC 2015
On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> On 12/10/15, 12:32 , "openssl-dev on behalf of Dr. Stephen Henson"
> <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
>
> >The reason for that is because the -engine option sets the ENGINE to use
> >for
> >everything and the PKCS#11 ENGINE doesn't support that public key method.
>
> I???m afraid I don???t understand. What good is a PKCS#11 engine if it doesn???t
> support at least ???sign??? and ???decrypt??? methods?
>
It does provide a method but it's not of the type pkeyutl needs.
There are two separate levels of method in use one is a higher level using the
EVP_PKEY and the other a lower level using RSA_METHOD. It is the latter which
the engine (in common with most others) uses.
Currently when you use the -engine argument to pkeyutl it tries to use the
EVP_PKEY method from the engine which doesn't exist. You want it to use
OpenSSL for the EVP_PKEY method which then gets redirected at a lower
level using the engines RSA_METHOD.
> >What we need is a way to load the private key from an ENGINE but not
> >attempt
> >to use that for the actual operations.
>
> Could you please clarify what you mean by ???load the private key????
>
I mean request an EVP_PKEY structure for the key from the engine: this does
not necessartily load physical key components. Typically it will store the
handle of the key in the structure and include a method which redirects
operations through the engine.
> >Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL
> >in pkeyutl.c
>
> With your proposed (temporary) fix, the signature both generated and
> verified successfully (see below). Could I ask to push this fix to the
> master, and maybe/hopefully to 1_0_2 branch?
>
As I indicated the fix I suggested it temporary. Sometimes a user will want
that behaviour so we'd need a new command line option indicating the private
key engine only.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list