Dynamically Adding a New PubKey Method - how to link OID <-> pkey_id ?

Dmitry Belyavsky beldmit at gmail.com
Tue Aug 30 20:25:52 UTC 2022

Dear Dr.Pala,

You can take a look at


and use OBJ_create (https://www.openssl.org/docs/man3.0/man3/OBJ_create.html)
to register new NIDs.
If you want just PKI/CMS, it would be enough.

I should notice that ENGINE interface is deprecated so for OpenSSL 3.0
you'd better implement a provider for your purposes.

On Tue, Aug 30, 2022 at 6:58 PM Dr. Pala <director at openca.org> wrote:

> Dear OpenSSL,
> I have a question for the community. Specifically, I am changing the
> implementation that we are working on for Composite Crypto from directly
> patching the OpenSSL library with a new method, we want to add it
> dynamically - this makes it easier to use Composite Crypto with existing
> OpenSSL deployments.
> One very discouraging thing when you do that is that with all the masking
> of data structures, it becomes quite difficult to work on low-level
> implementations and it might require including some definitions of data
> structures.
> Besides this side-notes, the issue we are facing is related to how to link
> the OID for the public key algorithm with the NID for the dynamically added
> one. Let me explain with some code.
> When our LibPKI starts up, it initializes the crypto layer and adds the
> Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD:
> // We Need to initialize the ASN1 conversion method
> // https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_ASN1_METHOD.html
> if (!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return 0;
> // We also Need to initialize the PKEY method for the algorithm
> // https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html
> if (!EVP_PKEY_meth_add0(&combined_pkey_meth)) return 0;
> However, as part of the two structures, the pkey NID is already defined in
> the structure (pkey_id). This was all working fine because the pkey_id was
> the NID_composite that was originally generated via the objects tools
> (i.e., you can use the two functions OBJ_nid2obj() and OBJ_obj2nid() with
> the NID_composite value), however... I cannot find how to do this with the
> static version.
> I tried to create the object with the OBJ_create() first and then assign
> it to the relevant fields of the methods:
> // Let's create the Initial OID for Composite Crypto
> NID_composite = OBJ_create("", "composite",
> "pk-Composite");
> if (NID_composite == NID_undef) return 0;
> // // Assigns the generated IDs
> composite_asn1_meth.pkey_id = NID_composite;
> composite_asn1_meth.pkey_base_id = NID_composite;
> composite_pkey_meth.pkey_id = NID_composite;
> right before adding the method(s) to the library with the
> EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0(). This seems a bit clunky to
> me and I am facing some weird memory issue when I assign the pkey_id on the
> pkey meth (but that can simply be an issue with a pointer somehow... ).
> I was wondering if there is a better approach.
> Specifically, I was thinking about generating the methods data structures
> with the dynamic allocation (EVP_PKEY_meth_new) and then assigning the
> different callbacks instead of using the _add0() functions ... however also
> that approach requires us, if I am not mistaken, to generate the OIDs
> first, retrieve the ID from it, and then use the
> EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new methods. This
> second approach requires a bit more code to do all the assigning (instead
> of just assigning the structure once) but it helps with not requiring
> exporting the internals of the method(s) structure itself.
> Is there a better way to provide the algorithm?
> The last path that I was thinking was to provide an ENGINE implementation,
> but that seemed a bit more complicated (probably mostly because I have
> never had to implement the interface...).
> Thank you for your help and have a wonderful day!
> Cheers,
> Max
> --
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> [image: OpenCA Logo]

SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/a412a874/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hGC90aEi5KV28O06.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220830/a412a874/attachment-0001.png>

More information about the openssl-users mailing list