Integration of new algorithms

Kris Kwiatkowski kris at
Wed Sep 30 15:11:06 UTC 2020


In regards to OBJ_new_nid - yes, that's more or less what I already
do. I actually use OBJ_sn2nid() which, indeed calls a OBJ_new_nid().

But the problem that I've is different. In keygen (callback set by
EVP_PKEY_meth_set_keygen), there is no way to access NID. It seems
to be stored in the EVP_PKEY_CTX->pmeth->pkey_id, but there is
no way to read it (or at least I couldn't find any).
But, anyway - I've some sub-optimal solution, which uses
EVP_PKEY_meth_set_ctrl() to set scheme specific callback. Not
perfectly clean, but works perfectly well.

In regards to 3.0 - I've started to work on provider for PQ
schemes some time ago. Not finished yet, but indeed, it looks
easier/better. Nevertheless ENGINE for 1.1.1 is actually
something that is needed now for practical reasons (like integration
with existing software).

Kind regards,

On 9/30/20 8:05 AM, Dr Paul Dale wrote:
> Instead of using an engine, you should write a provider (assuming you’re
> using the soon to be released OpenSSL 3.0).  It doesn’t need a NID.
> If you are using OpenSSL 1.1.1, try the OBJ_new_nid() function.
> Pauli
> -- 
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
> Phone +61 7 3031 7217
> Oracle Australia
>> On 26 Aug 2020, at 6:48 pm, Kris Kwiatkowski <kris at
>> <mailto:kris at>> wrote:
>> Hey,
>> I'm working on development of OpenSSL ENGINE that integrates
>> post-quantum algorithms (new NIDs). During integration I
>> need to modify OpenSSL code to add custom function, but would
>> prefer not to need add anything to OpenSSL code (so engine
>> can be dynmicaly loaded by any modern OpenSSL).
>> So, In three cases, namely when the code is in callbacks for keygen,
>> encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt
>> and EVP_PKEY_keygen) I need to get NID of the scheme. The problem
>> is that, those functions are called with EVP_PKEY_CTX object
>> provided as an argument. The NID is stored in the
>> EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API
>> which would return that value.
>> I've added a simple function that returns pkey_id from the ctx, but
>> that means that I need to change OpenSSL code. Is there any way
>> to get NID without changing OpenSSL?
>> Kind regards,
>> Kris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-project mailing list