[openssl-dev] [RFC v2 2/2] pem: load engine keys

Richard Levitte levitte at openssl.org
Tue Dec 6 22:26:05 UTC 2016 

In message <58472E4F.3010204 at roumenpetrov.info> on Tue, 06 Dec 2016 23:31:59 +0200, Roumen Petrov <openssl at roumenpetrov.info> said:

openssl> Hi Richard,
openssl> 
openssl> Richard Levitte wrote:
openssl> > [SNIP]
openssl> > James.Bottomley> 1. We agreed that usability is greatly enhanced if
openssl> > openssl simply loads
openssl> > James.Bottomley> a key when presented with the file/uri etc. without
openssl> > the user having
openssl> > James.Bottomley>       to specify what the format of a key is
openssl> >
openssl> > Check.  My STORE branch is made to support that.
openssl> One URI could represent more then one item.
openssl> STORE_INFO_types is enumerate but URI could be associated to custom
openssl> data (handle) and this data could be used to get other data(handles).
openssl> 
openssl> See capi engine CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char
openssl> *id)
openssl> ..
openssl>         hstore = capi_open_store(ctx, NULL);
openssl>         if (!hstore)
openssl>             return NULL;
openssl>         cert = capi_find_cert(ctx, id, hstore);
openssl>         if (cert) {
openssl>             key = capi_get_cert_key(ctx, cert);
openssl>             CertFreeCertificateContext(cert);
openssl>         }
openssl>         CertCloseStore(hstore, 0);
openssl> ..
openssl> Is above case PKEY is loaded only if CERT is located(found).

I'm trying to understand but am failing.  Looking at your example,
it's quite clear that what you want to retrieve is a key, even though
you have to go through the corresponding certificate to get to it.

However, *nothing* stops anyone from making a loader for the "capi"
scheme (if there is such a thing) that has a load method that will
return the certificate (STORE_INFO_CERT) on the first call and the
associated key (STORE_INFO_PKEY) on the second for the same URI.  It's
all about caching information, and there is a context variable (type
STORE_LOADER_CTX, which is just a template type for loader defined
'struct store_loader_ctx_st') to be used exactly for that kind of
purpose.

In your example above, I fail to see where the custom data would be
needed...  And frankly, STORE is first of all meant to handle types
that can be used with the rest of OpenSSL.  That being said, adding a
"whatever" STORE_INFO type isn't very hard either.  I'm just not
terribly convinced yet, but let's keep talking, I'll probably
understand sooner or later what you're actually after.

Cheers,
Richard ( oh, and if example code is needed, I can provide )

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-dev mailing list