Dynamically Adding a New PubKey Method - how to link OID <-> pkey_id ?

Dr. Pala director at openca.org
Tue Aug 30 16:57:33 UTC 2022

Dear OpenSSL,

I have a question for the community. Specifically, I am changing the 
implementation that we are working on for Composite Crypto from directly 
patching the OpenSSL library with a new method, we want to add it 
dynamically - this makes it easier to use Composite Crypto with existing 
OpenSSL deployments.

One very discouraging thing when you do that is that with all the 
masking of data structures, it becomes quite difficult to work on 
low-level implementations and it might require including some 
definitions of data structures.

Besides this side-notes, the issue we are facing is related to how to 
link the OID for the public key algorithm with the NID for the 
dynamically added one. Let me explain with some code.

When our LibPKI starts up, it initializes the crypto layer and adds the 
Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD:

// We Need to initialize the ASN1 conversion method
// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_ASN1_METHOD.html
if(!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return0;
// We also Need to initialize the PKEY method for the algorithm
// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html
if(!EVP_PKEY_meth_add0(&combined_pkey_meth)) return0;

However, as part of the two structures, the pkey NID is already defined 
in the structure (pkey_id). This was all working fine because the 
pkey_id was the NID_composite that was originally generated via the 
objects tools (i.e., you can use the two functions OBJ_nid2obj() and 
OBJ_obj2nid() with the NID_composite value), however... I cannot find 
how to do this with the static version.

I tried to create the object with the OBJ_create() first and then assign 
it to the relevant fields of the methods:

// Let's create the Initial OID for Composite Crypto
NID_composite = OBJ_create("", "composite", 
if(NID_composite == NID_undef) return0;
// // Assigns the generated IDs
composite_asn1_meth.pkey_id = NID_composite;
composite_asn1_meth.pkey_base_id = NID_composite;
composite_pkey_meth.pkey_id = NID_composite;

right before adding the method(s) to the library with the 
EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0(). This seems a bit clunky 
to me and I am facing some weird memory issue when I assign the pkey_id 
on the pkey meth (but that can simply be an issue with a pointer 
somehow... ).

I was wondering if there is a better approach.

Specifically, I was thinking about generating the methods data 
structures with the dynamic allocation (EVP_PKEY_meth_new) and then 
assigning the different callbacks instead of using the _add0() functions 
... however also that approach requires us, if I am not mistaken, to 
generate the OIDs first, retrieve the ID from it, and then use the 
EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new methods. 
This second approach requires a bit more code to do all the assigning 
(instead of just assigning the structure once) but it helps with not 
requiring exporting the internals of the method(s) structure itself.

Is there a better way to provide the algorithm?

The last path that I was thinking was to provide an ENGINE 
implementation, but that seemed a bit more complicated (probably mostly 
because I have never had to implement the interface...).

Thank you for your help and have a wonderful day!


Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/534c181f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hGC90aEi5KV28O06.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/534c181f/attachment.png>

More information about the openssl-users mailing list