[openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser stm at pdflib.com
Mon Feb 20 07:40:22 UTC 2017


Am 17.02.17 um 18:43 schrieb Jakob Bohm:
>> ...
> Some token keys on some tokens (think e-mail decryption private keys or
> TLS server private keys) intentionally support decryption of a wrapped
> symmetric key via PKCS#11 mechanisms such as the one from PKCS1v1.5 or
> The precise set of such public key operations available is given by the set
> of "mechanisms" enumerated by the pkcs11 driver for the individual token.
> One of the defined mechanisms (the one confusingly named "X509") appears to
> actually be the raw RSA operation, thus allowing it to be repurposed to
> implement any RSA scheme (such as PSS, or SHA-256 signatures) that might
> be missing on the token iteself.  But this obviously only works for those
> tokens that allow this, which varies by token model, token configuration
> and PKCS11-driver version.
> This obviously isn't possible for all tokens, and thus in general doesn't
> solve your original problem for those tokens that support PSS signatures
> natively, but not the raw RSA operation.  But it can be helpful for those
> tokens that do support the raw RSA operation and expose this ability
> through
> their PKCS#11 drivers.

thank you for the explanation about the CKM_RSA_X_509 mechanism. I was 
not aware of its meaning, and I will study it in more detail. The tokens 
that I have access to do provide this mechanism, so I can experiment 
with it.

Regarding my original question, does anybody have comments whether and 
if so how it is possible to override methods in a EVP_PKEY_METHOD structure?

Thank you.


More information about the openssl-users mailing list