[openssl-dev] access-EC_KEY-method-property

Roumen Petrov openssl at roumenpetrov.info
Thu Dec 24 10:28:46 UTC 2015 

Salz, Rich wrote:
> [SNIP]
>> I would like to request external applications to be able to change method -
>> see attached patch "0009-access-EC_KEY-method-property.patch".
> Can you say how this would be used?  Since the key method is opaque...
Yes but a number of functions (see below) allow  implementation as 
external to openssl cryptographic module:
$  grep EC_KEY_ME util/libeay.num
EC_KEY_METHOD_set_compute_key           5060    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_verify                5064    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_init                  5065    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_init                  5071    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_keygen                5072    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_free                      5073    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_new                       5074    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_sign                  5076    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_keygen                5078    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_verify                5079    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_sign                  5081    1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_compute_key           5082    1_1_0 EXIST::FUNCTION:EC

I have working prototype that use... _new, ..._init, ..._sing and 
..._verify.


A cryptographic module  (engine) could be registered a method as 
default. In general engine that use externally stored keys should refuse 
to be register methods as default.

Lets engine load method use d2i_PUBKEY to decode "external" der encoded 
public key.
Result is EVP_KEY with KEY(public) with default method.

1) If default method match engine method then application could 
register(associate) extra data with key and to finish loading.

2) If methods differ then application:
a)
   could create new key with FOO_new_method(ENGINE)
   to duplicate public part to "new key"
   to associate "new key" to EVP_KEY with EVP_PKEY_set1_FOO
b)
   could change key method
   must associate engine with key

After above may register(associate) extra data with key and finally to 
finish loading.


Proposed patch adds EC_KEY_get_method that could be used in 1). It seems 
to me this is required part.

Under question is EC_KEY_set_method.
If a) recommended then EC_KEY_set_method is useless. I could drop from 
patch.
If b) is acceptable then in addition to EC_KEY_set_method API must 
support set engine method for opaque keys.


a) requires more memory, i.e. code to transfer(recreate) public key with 
engine
b) it is simple. For instance for rsa keys we could write:
....
             RSA_set_method(pkey_rsa, meth);
             pkey_rsa->engine = eng;
             ENGINE_up_ref(eng);
....


Let me know how to proceed with this request.

Roumen Petrov

More information about the openssl-dev mailing list