ODP: CSR creation using pkcs11 dynamic engine

Piotr Lobacz piotr.lobacz at softgent.com
Tue Jun 1 14:57:50 UTC 2021

i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible?

Piotr Łobacz
Od: openssl-users <openssl-users-bounces at openssl.org> w imieniu użytkownika Piotr Lobacz <piotr.lobacz at softgent.com>
Wysłane: sobota, 29 maja 2021 20:12
Do: Selva Nair <selva.nair at gmail.com>
DW: openssl-users at openssl.org <openssl-users at openssl.org>
Temat: ODP: CSR creation using pkcs11 dynamic engine

Hi, unfortunately that is not that simple :( These methods are not being exposed by the dotnet. Porting them would take to much time because of the method struct. Recompiling the whole dotnet sdk is also not an option.

You know, i've been reading your mail and keep thinking and for now i see that the fastest way is to simply modify libp11 proxy engine in EVP_load_private_key method. First i can verify there the EVP_test_flag on the key and second modify the engine flags. This way i will be 100% sure that the problem is on dotnet side. Because when i was testing this key on the token i was generating 1024 bit length key and written it's length to the console. Than i have erased it completly and generated a new key pair with modified key length to 2048. The output result was changed: 1024 -> 2048. So the conclusion was that the key i taken correclty.

I will check this on monday and keep you inform. Have a nice weekend.

Od: Selva Nair <selva.nair at gmail.com>
Wysłane: sobota, 29 maja 2021 03:34
Do: Piotr Lobacz <piotr.lobacz at softgent.com>
Temat: Re: CSR creation using pkcs11 dynamic engine


I will also check these flags of my RSA object using RSA_test_flags and give you the answer. In the meantime as you have already told, the experts in here can share their knowledge, but i rather suspect that all you said is correct :] and the bug is in the dotnet implementation...

You could probably work around it by getting the method from the key using meth = RSA_get_method(rsa) and then setting the flag on the method using RSA_meth_set_flags(meth, flags). May not be a nice thing to do to a method owned by the engine, but should work if those API are exposed via dotnet.

If this is indeed the problem, you could try lobbying two places: dotnet devs to add a check for flags in the key, and libp11/pkcs11 engine devs to also set the flags on the method. One of them may oblige, depending on their thoughts on what is "right".


Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912


Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210601/4e08775b/attachment.html>

More information about the openssl-users mailing list