[openssl-dev] RSA_METHOD_FLAG_NO_CHECK and RSA_FLAG_EXT_PKEY?

[Short, Todd]

Hi,

The RSA_METHOD_FLAG_NO_CHECK and RSA_FLAG_EXT_PKEY seem to have similar meanings. These are the definitions in header files:

# define RSA_METHOD_FLAG_NO_CHECK        0x0001/* don't check pub/private
                                                * match */

/*
 * This flag means the private key operations will be handled by rsa_mod_exp
 * and that they do not depend on the private key components being present:
 * for example a key stored in external hardware. Without this flag
 * bn_mod_exp gets called when private key components are absent.
 */
# define RSA_FLAG_EXT_PKEY               0x0020

In both cases, it implies that the private key may not be present, and the code should not be checked against the public key.

The RSA_METHOD_FLAG_NO_CHECK is checked when setting certificates and private keys. The RSA_FLAG_EXT_PKEY is checked when doing RSA private key operations and determines whether rsa_mod_exp() or bn_mod_exp() is called.

So, my question is, should RSA_FLAG_EXT_PKEY (implying the external storage of the private key) also be used when setting certificates/private keys? Does it matter?

I’m really looking to start a discussion as to whether these flags have identical or very-close-to-each-other meanings.

Also, should there be an ECC_FLAG_EXT_PKEY?

This is all in reference to https://github.com/openssl/openssl/pull/2243

Thanks,

--
-Todd Short
// tshort at akamai.com<mailto:tshort at akamai.com>
// "One if by land, two if by sea, three if by the Internet."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170117/0330c125/attachment-0001.html>