[openssl-users] How to Implement a new PubKey method correctly

Dmitry Belyavsky beldmit at gmail.com
Fri Aug 24 07:55:20 UTC 2018 

Dear Max,

You can take a look at https://github.com/gost-engine/engine as an example
of providing new algorithms via engine.


On Fri, Aug 24, 2018 at 10:45 AM Dr. Pala <director at openca.org> wrote:

> Hi all,
>
> I am working on providing a new Public Key method that will handle
> Composite Keys (i.e., multiple keys with different algos - e.g., one RSA
> and one EC) and Composite Signatures  (i.e., multiple signatures generated
> with the corresponding Composite Keys). In particular, I would like to be
> able to add a method that will, in turn, call the methods supported by the
> different keys that form the COMPOSITE_PKEY structure.
>
> I have looked around how to do it and I am a bit confused about how to
> proceed as there are some conflicting implementations for different
> algorithms.
>
> Here's some high-level questions related to the EVP_PKEY interface, in
> particular:
>
>    - *EVP_PKEY_ASN1_METHOD vs. EVP_PKEY_METHOD *- when these two
>    different types of methods are used? Shall both be implemented?
>
> The 1st one is for processing ASN1 structures and the 2nd  is for
crypto-operations.

>
>    -
>    - *After providing the implementation for the ameth/pmeth, how does
>    the integration work with openssl?* In particular, should I add them
>    to the list of the default ameth/pmeth supported? Here's some more specific
>    questions:
>
>    - It seems there is an *app_method stack* of EVP_PKEY_ASN1_METHOD -
>       how do I add the method there (in case I will use a user-level - i.e., not
>       integrated into OpenSSL code - approach by using the functions in the
>       crypto/asn1/ameth_lib.c file). Will the EVP_PKEY_asn1_add0() function call
>       be sufficient?
>
>       - It seems there is an standard_methods stack of
>       EVP_PKEY_ASN1_METHOD - how do I add the method there if we need to have a
>       more tight integration with the core of the library (in case we can not do
>       our proof-of-concept without touching the openssl's code / requiring a fork)
>
> See register_ameth/register_pmeth in GOST engine.


>    -
>       - *COMPOSITE_PKEY struct and COMPOSITE_PKEY_CTX struct.* I noticed
>    that, for example, both RSA and EC implement some form of _CTX and _PKEY
>    structures. Are these used only internally or should they be implemented
>    and integrated with the METHOD(s) ?
>
> I suspect you need your own representation of key owning RSA and EC keys
and manage themselves.

>
>    -
>    - *Given the above is implemented correctly - will this enable the use
>    of the method for processing signatures with the new (pseudo-)algorithm for
>    different structures (e.g., CRLs, X509, X509_REQ, OCSP_REQ, OCSP_RESP,
>    etc.)* ? I see that there is some sort of different usages that can be
>    implemented in the CTRL of the ameth (e.g., rsa_pkey_ctrl), however this
>    seems to be targeted to the following operations:
>
>            ASN1_PKEY_CTRL_PKCS7_SIGN
>            ASN1_PKEY_CTRL_PKCS7_ENCRYPT
>            ASN1_PKEY_CTRL_CMS_SIGN
>            ASN1_PKEY_CTRL_CMS_ENVELOPE
>            ASN1_PKEY_CTRL_CMS_RI_TYPE
>            ASN1_PKEY_CTRL_DEFAULT_MD_NID
>
>    - Last but not least, since the EVP_PKEY has a union that points to
>    the internal key (i.e., crypto/internal/evp_int.h - evp_pkey_st) where,
>    besides the rsa, dsa, dh, and ec pointers, a void * ptr is defined. Shall I
>    use that pointer to reference the composite_pkey_st (at least for the
>    user-space implementation) ?
>
> Yes.

>
>
> Thanks for any help for understanding all these details... :D
>
> Cheers,
> Max
> --
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> [image: OpenCA Logo]
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180824/ad300118/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eonooiokingombaf.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180824/ad300118/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eonooiokingombaf.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180824/ad300118/attachment-0001.png>

More information about the openssl-users mailing list