[openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?
Stephan Mühlstrasser
stm at pdflib.com
Mon Feb 20 07:40:22 UTC 2017
Jakob,
Am 17.02.17 um 18:43 schrieb Jakob Bohm:
>> ...
> Some token keys on some tokens (think e-mail decryption private keys or
> TLS server private keys) intentionally support decryption of a wrapped
> symmetric key via PKCS#11 mechanisms such as the one from PKCS1v1.5 or
> OAEP.
>
> The precise set of such public key operations available is given by the set
> of "mechanisms" enumerated by the pkcs11 driver for the individual token.
>
> One of the defined mechanisms (the one confusingly named "X509") appears to
> actually be the raw RSA operation, thus allowing it to be repurposed to
> implement any RSA scheme (such as PSS, or SHA-256 signatures) that might
> be missing on the token iteself. But this obviously only works for those
> tokens that allow this, which varies by token model, token configuration
> and PKCS11-driver version.
>
> This obviously isn't possible for all tokens, and thus in general doesn't
> solve your original problem for those tokens that support PSS signatures
> natively, but not the raw RSA operation. But it can be helpful for those
> tokens that do support the raw RSA operation and expose this ability
> through
> their PKCS#11 drivers.
thank you for the explanation about the CKM_RSA_X_509 mechanism. I was
not aware of its meaning, and I will study it in more detail. The tokens
that I have access to do provide this mechanism, so I can experiment
with it.
Regarding my original question, does anybody have comments whether and
if so how it is possible to override methods in a EVP_PKEY_METHOD structure?
Thank you.
--
Stephan
More information about the openssl-users
mailing list