Matching keys between providers

Alex Dankow alex.dankow at
Sat Oct 23 04:04:39 UTC 2021

Hi OpenSSL users and its glorious developers,

Thank you very much for OpenSSL 3!

My question is about writing a provider. I decided to start from a Windows
certificate storage provider. It already works with "openssl storeutl"
command, but can't make it work with "openssl ca".

When openssl expects a certificate, I return an encoded certificate
directly. OpenSSL parses it and the public key belongs to the "OpenSSL RSA"
provider. I can't give private keys from Windows cert. storage and return
something virtual from my key management provider.

At the next step, openssl.exe does matching, compares key types: public
key's type is "OpenSSL RSA" and the private key type of "MYPKEY". It is
done in  evp_keymgmt_util_match.
I was hoping it would be called OSSL_FUNC_KEYMGMT_MATCH for both providers,
but it only compares strings and says types are different. If I declare
that my key management also handles RSA in OSSL_ALGORITHM as "MYPKEY:RSA"
OpenSSL tool gives an error that RSA has an existing different identity.

I'm exploring the source, but I'm stuck. Is it the wrong approach or I
missed something ?

Best Regards
Alex Dankow
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list