Sign without having the private key

Dmitry Belyavsky beldmit at gmail.com
Mon Jan 11 18:00:25 UTC 2021


Dear Timo,

For 1.0* versions it was possible to provide custom RSA_METHOD and
EC_METHOD and implement an IPC callback.
I think it still should work for 1.1.1

It may be also useful to take a look at the async API.

On Mon, Jan 11, 2021 at 6:56 PM Timo Lange <tiolangit at outlook.com> wrote:

> Hey all,
>
> I have a question similar to
> http://openssl.6102.n7.nabble.com/private-key-not-available-for-client-cert-cb-td79369.html,
> that I am actively following, but though it differs in detail.
>
> What I want to achieve is the following:
> My client applications runs inside a container and needs to establish a
> mutual TLS connection to a server.
> The client certificate is available in the container.
> The root certificate, as well as the client private key is not available
> inside the container, but stored in a HSM.
> For sure the private key may never leave the HSM and also the root
> certificate should not.
>
> The application cannot directly interfere with the HSM through
> standardized mechanisms as it is not accessible from inside the container.
> For doing so a proprietary interprocess-communication is required.
>
> I now want something like a "verify callback" and a "sign callback".
>
> The "verify callback" would be needed in order to verify the server
> certificate against the root certificate. It seems to be easy using:
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_verify_callback.html
>
> I need the same, something like a "sign callback" also for the private
> key, when a signature is required during handshake. Such that requests from
> openSSL to sign something can be forwarded through the
> inter-process-communication into the HSM. So that the actual signing
> happens there.
> This would only be required during handshake. For the actual encryption
> symmetric keys can be used, such that the encryption takes place in the
> openSSL library, not in the HSM.
>
> I assume I need to write a custom ENGINE, but failed with all my
> approaches.
>
> Can someone give me brief hint on where to start and which API to look at
> first?
>
> Thanks a lot!
> Timo
>
>

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210111/fbf9a5bd/attachment-0001.html>


More information about the openssl-users mailing list