Matching keys between providers

Tomas Mraz tomas at
Mon Oct 25 08:01:40 UTC 2021

On Sat, 2021-10-23 at 11:04 +0700, Alex Dankow wrote:
> Hi OpenSSL users and its glorious developers, 
> Thank you very much for OpenSSL 3!
> My question is about writing a provider. I decided to start from a
> Windows certificate storage provider. It already works with "openssl
> storeutl" command, but can't make it work with "openssl ca".
> When openssl expects a certificate, I return an encoded certificate
> directly. OpenSSL parses it and the public key belongs to the "OpenSSL
> RSA" provider. I can't give private keys from Windows cert. storage and
> return something virtual from my key management provider.
> At the next step, openssl.exe does matching, compares key types: public
> key's type is "OpenSSL RSA" and the private key type of "MYPKEY". It is
> done in  evp_keymgmt_util_match.
> I was hoping it would be called OSSL_FUNC_KEYMGMT_MATCH for both
> providers, but it only compares strings and says types are different.
> If I declare that my key management also handles RSA in OSSL_ALGORITHM
> as "MYPKEY:RSA" OpenSSL tool gives an error that RSA has an existing
> different identity.
> I'm exploring the source, but I'm stuck. Is it the wrong approach or I
> missed something ?

This is something that should be resolved by:

The key type for RSA keys must be "RSA". And the PR linked above should
ensure that the unexportable RSA keys from the keystore would be
handled by your provider.

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-users mailing list