How to plug an external encryption to CMS_SignerInfo signing?
Dmitry Belyavsky
beldmit at gmail.com
Sat Oct 24 10:12:04 UTC 2020
Dear Francesco,
On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto <ceztko at gmail.com> wrote:
> Hello,
>
> I'm trying to create a CMS context for subsequent export using
> CMS_sign(). I add a signer using CMS_add1_signer() that allows me to
> specify a X509 certificate and a hash function. I would like the CMS
> context to perform hash computation and ANS1 structure filling, but I
> want to delegate encryption to an external service, for example an
> hardware encryption token (I'm assuming this is a very common use
> case). At this point I'm in a stalemate since CMS_add1_signer() asks
> me for a private EVP_PKEY that is compatible with the public key
> present in the X509 certificate. No other function seems to exist to
> create a CMS_SignerInfo by providing an external mechanism for
> encryption.
>
> My hacky solution was to add a signer CMS_add1_signer() supplying the
> public key stored in the X509 certificate in the place of the private
> one. This passes internal checks of the function and allows me to
> subsequently handle (manually) all the ANS1 structure filling and hash
> computations. This is barely doable with public openssl API and still
> requires a big rip-off of private openssl code (attached as a
> standalone C++ class, if it can be useful for someone).
>
> My question is: is there an easier mechanism to plug a separate
> encryption method when creating the CMS_SignerInfo structure and have
> openssl do all the other dirty work for me? If so, is it possible to
> do with openssl 1.1.0/1.1.1?
>
Engines allow operating by private keys in such a manner.
You have to reimplement all the callbacks dealing with private keys. Also,
it's possible you have to write some wrappers for the functions dealing
with public keys.
For 3.0, the providers should do the same trick, I think.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201024/87147d14/attachment.html>
More information about the openssl-users
mailing list