[openssl-users] Loading RSA private key from ENGINE

Ignacio Alamo Corsino nacao2001 at hotmail.com
Thu Nov 16 11:18:42 UTC 2017

Hello Fabrizio,

actually the whole private key and all its components are not loaded with ENGINE_load_private_key. Only a part of them (modulus and public exponent).

These components are enough to, for example, make a key/certificate match verification.

Once a private key operation is needed (ex. signature) then your custom RSA method will be called because the key that you have previously loaded

is not able to perform that kind of operations. Depending on how you have written your method, one function or another will be called (rsa_sign or RSA_private_encrypt).

If you have loaded your engine correctly, the SSL methods will know when to call your rsa methods to perform their operations.



De: openssl-users <openssl-users-bounces at openssl.org> en nombre de hokusai at gmx.ch <hokusai at gmx.ch>
Enviado: miércoles, 15 de noviembre de 2017 9:37
Para: openssl-users at openssl.org
Asunto: [openssl-users] Loading RSA private key from ENGINE

I am currently exporing the ENGINE capabilities. The examples are quite clear about how to link OpenSSL with methods that are available in a hardware module:
- implement RSA_METHOD in MyEngine, e.g. rsaSign() wich calls rsaSign_HW()
- ENGINE_register_RSA(MyEngine)
--> OpenSSL will then automatically call that method when rsa signing is required.

So far, so good.

The gap in my understanding is how to access the private key. Assumimg that my hardware module contains a list of private keys, which cannot and shall not be exported, they will be referenced by some opaque reference or id, e.g "KEY_1"


Now I need some way to configure SSL_CTX with "KEY_1" instead of the "real" key.
I'm thinking of some pseudo-code in the way:

SSL_CTX_use_certificate(ctx, cert)  // certificate from PEM file as usual
SSL_CTX_use_PrivateKeyReferenceForEngine(ctx, "KEY_1")

Also there is a engine interface that looks promising, as takes some arbitrary keyId as parameter....

privKey = ENGINE_load_private_key(MyEngine, "KEY_1")

.. but as far as I understand, it returns the "real" key, which is not exportable.

Am I completety on the wrong track? What is the recommended technique?
Thanks for any suggestion

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171116/153cf6af/attachment.html>

More information about the openssl-users mailing list