CNG engine on GitHub

Selva Nair selva.nair at gmail.com
Fri Jul 2 16:34:19 UTC 2021


Hi

>
>>
>> This is great, but limiting RSA signature to  RSA-PKCS#1 v 1.5 is a major
>> limitation. It doesn't have to be that way as the OpenSSL engine interface
>> does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.
>>
>
> Yes I agree the lack of support for RSA-PSS is significant. There is a
> discussion (which includes you, I see ) around the root cause of that here:
> https://github.com/openssl/openssl/issues/7341 , among other places.
>

That discussion is valid only if you insist on using "legacy" rsa_sign or
other rsa_priv_dec  which have no mechanism for providing context info like
padding and hash type.


> It is not clear to me what you mean with "the OpenSSL engine interface
> does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.".
> Can you elaborate (here or on the GitHub issue)?
>

To add to what Matt wrote:

As an example, see my PR for pkcs11-helper:
https://github.com/OpenSC/pkcs11-helper/pull/31  This uses a dummy engine
and passes the singing operation to the pkcs11 device, but the idea is the
same.

Selva

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210702/e0e87403/attachment.html>


More information about the openssl-users mailing list