[openssl-dev] access-EC_KEY-method-property
Roumen Petrov
openssl at roumenpetrov.info
Thu Dec 24 10:28:46 UTC 2015
Salz, Rich wrote:
> [SNIP]
>> I would like to request external applications to be able to change method -
>> see attached patch "0009-access-EC_KEY-method-property.patch".
> Can you say how this would be used? Since the key method is opaque...
Yes but a number of functions (see below) allow implementation as
external to openssl cryptographic module:
$ grep EC_KEY_ME util/libeay.num
EC_KEY_METHOD_set_compute_key 5060 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_verify 5064 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_init 5065 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_init 5071 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_keygen 5072 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_free 5073 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_new 5074 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_sign 5076 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_keygen 5078 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_verify 5079 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_sign 5081 1_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_compute_key 5082 1_1_0 EXIST::FUNCTION:EC
I have working prototype that use... _new, ..._init, ..._sing and
..._verify.
A cryptographic module (engine) could be registered a method as
default. In general engine that use externally stored keys should refuse
to be register methods as default.
Lets engine load method use d2i_PUBKEY to decode "external" der encoded
public key.
Result is EVP_KEY with KEY(public) with default method.
1) If default method match engine method then application could
register(associate) extra data with key and to finish loading.
2) If methods differ then application:
a)
could create new key with FOO_new_method(ENGINE)
to duplicate public part to "new key"
to associate "new key" to EVP_KEY with EVP_PKEY_set1_FOO
b)
could change key method
must associate engine with key
After above may register(associate) extra data with key and finally to
finish loading.
Proposed patch adds EC_KEY_get_method that could be used in 1). It seems
to me this is required part.
Under question is EC_KEY_set_method.
If a) recommended then EC_KEY_set_method is useless. I could drop from
patch.
If b) is acceptable then in addition to EC_KEY_set_method API must
support set engine method for opaque keys.
a) requires more memory, i.e. code to transfer(recreate) public key with
engine
b) it is simple. For instance for rsa keys we could write:
....
RSA_set_method(pkey_rsa, meth);
pkey_rsa->engine = eng;
ENGINE_up_ref(eng);
....
Let me know how to proceed with this request.
Roumen Petrov
More information about the openssl-dev
mailing list