[openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req fails to use engine

Blumenthal, Uri - 0553 - MITLL via RT rt at openssl.org
Fri Jan 15 23:24:16 UTC 2016


Doug, could you please take a look at PR #548 (or is it #549)? It also addresses this KEY_FORM issue.

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: deengert at gmail.com via RT
Sent: Friday, January 15, 2016 17:10
Reply To: rt at openssl.org
Cc: openssl-dev at openssl.org
Subject: [openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req	fails to use engine

req.c (and many of the other apps) appear to have lost the ability to use an engine.
The attached diff is against the github.com verison using Tag OpenSSL_1_1-pre2
In the req_options[] table:
OPT_KEY is set to "S" so pre- checking of the parameters does not drop the string passed to the engine.
OPT_KEY_FORM is set to "f" so pre-checking will allow engine

The engine is saved:
e = setup_engine(opt_arg(), 1);

(I turned on debug, may want that off. )

to allow the theOPT_KEY_FORM to be an engine:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER|OPT_FMT_ENGINE, &keyform))

This was tested with a modified version of OpenSC using ECDSA key on card to generate a self signed certificate.

openssl req -config /tmp/genreq.6156.openssl.conf -engine pkcs11 -keyform e -sha256 -new -key slot_1-id_2 -out /tmp/selfsigned.pem -x509 -text


P.S. The EC_KEY_* functions appear to be working too (#4225) Have not tried the ECDH yet.

-- Douglas E. Engert <DEEngert at gmail.com>




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160115/de8ea9f5/attachment.bin>


More information about the openssl-dev mailing list