Dynamically Adding a New PubKey Method - how to link OID <-> pkey_id ?
Dr. Pala
director at openca.org
Tue Aug 30 16:57:33 UTC 2022
Dear OpenSSL,
I have a question for the community. Specifically, I am changing the
implementation that we are working on for Composite Crypto from directly
patching the OpenSSL library with a new method, we want to add it
dynamically - this makes it easier to use Composite Crypto with existing
OpenSSL deployments.
One very discouraging thing when you do that is that with all the
masking of data structures, it becomes quite difficult to work on
low-level implementations and it might require including some
definitions of data structures.
Besides this side-notes, the issue we are facing is related to how to
link the OID for the public key algorithm with the NID for the
dynamically added one. Let me explain with some code.
When our LibPKI starts up, it initializes the crypto layer and adds the
Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD:
// We Need to initialize the ASN1 conversion method
// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_ASN1_METHOD.html
if(!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return0;
// We also Need to initialize the PKEY method for the algorithm
// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html
if(!EVP_PKEY_meth_add0(&combined_pkey_meth)) return0;
However, as part of the two structures, the pkey NID is already defined
in the structure (pkey_id). This was all working fine because the
pkey_id was the NID_composite that was originally generated via the
objects tools (i.e., you can use the two functions OBJ_nid2obj() and
OBJ_obj2nid() with the NID_composite value), however... I cannot find
how to do this with the static version.
I tried to create the object with the OBJ_create() first and then assign
it to the relevant fields of the methods:
// Let's create the Initial OID for Composite Crypto
NID_composite = OBJ_create("1.3.6.1.4.1.18277.2.1", "composite",
"pk-Composite");
if(NID_composite == NID_undef) return0;
// // Assigns the generated IDs
composite_asn1_meth.pkey_id = NID_composite;
composite_asn1_meth.pkey_base_id = NID_composite;
composite_pkey_meth.pkey_id = NID_composite;
right before adding the method(s) to the library with the
EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0(). This seems a bit clunky
to me and I am facing some weird memory issue when I assign the pkey_id
on the pkey meth (but that can simply be an issue with a pointer
somehow... ).
I was wondering if there is a better approach.
Specifically, I was thinking about generating the methods data
structures with the dynamic allocation (EVP_PKEY_meth_new) and then
assigning the different callbacks instead of using the _add0() functions
... however also that approach requires us, if I am not mistaken, to
generate the OIDs first, retrieve the ID from it, and then use the
EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new methods.
This second approach requires a bit more code to do all the assigning
(instead of just assigning the structure once) but it helps with not
requiring exporting the internals of the method(s) structure itself.
Is there a better way to provide the algorithm?
The last path that I was thinking was to provide an ENGINE
implementation, but that seemed a bit more complicated (probably mostly
because I have never had to implement the interface...).
Thank you for your help and have a wonderful day!
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/534c181f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hGC90aEi5KV28O06.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/534c181f/attachment.png>
More information about the openssl-users
mailing list