Integration of new algorithms

Kris Kwiatkowski kris at amongbytes.com
Wed Sep 30 15:11:06 UTC 2020


Hello,

In regards to OBJ_new_nid - yes, that's more or less what I already
do. I actually use OBJ_sn2nid() which, indeed calls a OBJ_new_nid().

But the problem that I've is different. In keygen (callback set by
EVP_PKEY_meth_set_keygen), there is no way to access NID. It seems
to be stored in the EVP_PKEY_CTX->pmeth->pkey_id, but there is
no way to read it (or at least I couldn't find any).
But, anyway - I've some sub-optimal solution, which uses
EVP_PKEY_meth_set_ctrl() to set scheme specific callback. Not
perfectly clean, but works perfectly well.

In regards to 3.0 - I've started to work on provider for PQ
schemes some time ago. Not finished yet, but indeed, it looks
easier/better. Nevertheless ENGINE for 1.1.1 is actually
something that is needed now for practical reasons (like integration
with existing software).

Kind regards,
Kris

On 9/30/20 8:05 AM, Dr Paul Dale wrote:
> Instead of using an engine, you should write a provider (assuming you’re
> using the soon to be released OpenSSL 3.0).  It doesn’t need a NID.
>
> If you are using OpenSSL 1.1.1, try the OBJ_new_nid() function.
>
>
> Pauli
> -- 
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
> Phone +61 7 3031 7217
> Oracle Australia
>
>
>
>
>> On 26 Aug 2020, at 6:48 pm, Kris Kwiatkowski <kris at amongbytes.com
>> <mailto:kris at amongbytes.com>> wrote:
>>
>>
>> Hey,
>>
>> I'm working on development of OpenSSL ENGINE that integrates
>> post-quantum algorithms (new NIDs). During integration I
>> need to modify OpenSSL code to add custom function, but would
>> prefer not to need add anything to OpenSSL code (so engine
>> can be dynmicaly loaded by any modern OpenSSL).
>>
>> So, In three cases, namely when the code is in callbacks for keygen,
>> encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt
>> and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
>> is that, those functions are called with EVP_PKEY_CTX object
>> provided as an argument. The NID is stored in the
>> EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
>> which would return that value.
>>
>> I've added a simple function that returns pkey_id from the ctx, but
>> that means that I need to change OpenSSL code. Is there any way
>> to get NID without changing OpenSSL?
>>
>> Kind regards,
>> Kris
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20200930/2e702b21/attachment-0001.html>


More information about the openssl-project mailing list