[openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser stm at pdflib.com
Mon Feb 27 15:50:54 UTC 2017

Am 27.02.17 um 16:33 schrieb Dr. Stephen Henson:
> On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:
>> Am 27.02.17 um 15:34 schrieb Dr. Stephen Henson:
>>> There shouldn't be any need to add the method to the list: it should be
>>> possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
>>> or implemented in an ENGINE). I say *should* because there doesn't seem to be
>>> currently a way to do that without changing EVP_PKEY internal fields (which
>>> isn't possible in 1.1.0 anyway).
>> I'm sorry, I don't get what you are trying to tell me in the above
>> paragraph. Are you talking about an alternative way to set up the
>> methods in the EVP_PKEY_METHOD structure?
> Well this is by analogy with how the other algorithm specific methods work.
> With RSA_METHOD et al there are two ways to provide your own mechanisms for
> operations.
> If it's a general purpose mechanism (e.g. a crypto accelerator) which should
> perform all RSA operations you can provide the default method.
> If you want to only affect certain keys (e.g. those tied to a specific HSM)
> you *can* do this via the default method and just check each key as it goes
> through (e.g. some ex_data attached to it) and only handle those of interest
> passing the rest to the default operation.
> There is an alternative way. You create a custom method and set that as the
> key's internal method. Then any existing keys use the default method as usual
> but the keys you care about go through the custom method.
> For EVP_PKEY_METHOD you can provide the default implementation for an
> algorithm but unfortunately there is no way to provide a key specific method
> which is transparently used.

Ok, thank you for this explanation! I will try to make sense of this and 
I will see whether I am able to map this to the corresponding API calls 
and data structures...


More information about the openssl-users mailing list