[openssl-dev] confusion with rsa_meth_st in a custom RSA engine

[Dr. Stephen Henson]

On Mon, Aug 28, 2017, Brett R. Nicholas wrote:

> 
> 
> One more follow up question:
> 
> 
> > If possible you should set the public key components anyway: some operations
> 
> > such as generating certificate requests require them to be present
> 
> I'm confused what you mean here, since my engine doesn't "own" any instances of an RSA struct, it just has a static instance of RSA_METHOD struct defined. So therefore my engine never "sets" public or private key components. It just uses the modexp functions to write the public/private data (contained in the RSA struct passed as an argument from the higher level encrypt/decrypt functions) out to the hardware accelerator, and then return the result. So I could never "set the public key components anyway", as they would be set by whichever program calls RSA_public/private_encrypt/decrypt().
> 
> 
> Is my implementing it in this way different than how you thought I was implementing it? It made sense to me to do it this way, however please let me know if you think I'm going about it wrong, or if there are issues with this particular strategy. I want to make sure I'm using the engine API in the most intuitive and efficient way!
> 
> 

Ah if you're performing crypto acceleration of already existing keys then
that's fine.

In some cases an ENGINE can load a private key (typically from an HSM) and
returns the EVP_PKEY structure: in that case it would initialise the RSA
structure for RSA keys. It's that case where (n, e) should be initialised
if possible.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org