CNG engine on GitHub

Reinier Torenbeek reinier.torenbeek at gmail.com
Thu Jul 8 02:18:05 UTC 2021


Hello Selva and Matt,

Thanks for the pointers. Following the suggested approach, I have added (in
a branch of a fork) initial support of RSA-PSS for the BCrypt engine and
the few first tests look promising. Next, I will do the same thing for
NCrypt. After that I will probably add support for OAEP as well.

Best regards,
Reinier

On Fri, Jul 2, 2021 at 1:35 PM Selva Nair <selva.nair at gmail.com> wrote:

> Hi
>
>>
>>>
>>> This is great, but limiting RSA signature to  RSA-PKCS#1 v 1.5 is a
>>> major limitation. It doesn't have to be that way as the OpenSSL engine
>>> interface does allow using EVP_PKEY_METHOD callbacks instead of
>>> rsa_priv_dec etc.
>>>
>>
>> Yes I agree the lack of support for RSA-PSS is significant. There is a
>> discussion (which includes you, I see ) around the root cause of that here:
>> https://github.com/openssl/openssl/issues/7341 , among other places.
>>
>
> That discussion is valid only if you insist on using "legacy" rsa_sign or
> other rsa_priv_dec  which have no mechanism for providing context info like
> padding and hash type.
>
>
>> It is not clear to me what you mean with "the OpenSSL engine interface
>> does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.".
>> Can you elaborate (here or on the GitHub issue)?
>>
>
> To add to what Matt wrote:
>
> As an example, see my PR for pkcs11-helper:
> https://github.com/OpenSC/pkcs11-helper/pull/31  This uses a dummy engine
> and passes the singing operation to the pkcs11 device, but the idea is the
> same.
>
> Selva
>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210707/f9b18da7/attachment.html>


More information about the openssl-users mailing list