openssl-users Digest, Vol 106, Issue 24

Kamal Joshi kamal19joshi at gmail.com
Tue Sep 26 01:29:09 UTC 2023


Hi Team,

I have a few queries related to the Provider concept in OpenSSL 3.1.x
version

As openssl version is coming up with Provider implementation and engine API
are deprecated. Below are the queries.
1. Is it possible to still use Engine API and will it work with OpenSSL
3.1.x?
2. If not can someone help in replacing the engine with provider
implementation with some basic example or minimum set of implementation?

I am working on this on Linux (Openbmc environment ) which is then open
source to the community. As OpenSSL provides command line support in Linux
for testing different speed tests using hardware engines, similarly is
there any such command line utility or commands for provider?

Also like in Engine, we change openssl.conf file for invoking the engine at
runtime. Do we need to change the configuration file for the provider as
well to load at runtime?
Our project is at a very scratch level and we starting with OpenSSL 3.1.x
so need to understand provider implementation. Any pointer or input will be
highly helpful to us.

Regards,
Kamal Joshi




On Fri, Sep 22, 2023 at 5:30 PM <openssl-users-request at openssl.org> wrote:

> Send openssl-users mailing list submissions to
>         openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>         openssl-users-request at openssl.org
>
> You can reach the person managing the list at
>         openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>    1. Re: pkey public key extraction (David von Oheimb)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 22 Sep 2023 07:44:01 +0200
> From: David von Oheimb <it at von-Oheimb.de>
> To: openssl-users at openssl.org
> Subject: Re: pkey public key extraction
> Message-ID: <52984fec-bb5a-11ad-49ab-6d77dece9dea at von-Oheimb.de>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Thanks Viktor for the very good comments below.
>
> Here is a more general side remark on a side info by Stephen Doody:
>
> > For info we're running openssl version 1.0.2k-fips on Centos 7 in an AWS
> EC2 instance.
> OpenSSL 1.0.2 is heavily outdated.
> Meanwhile, using anything below 3.0 is discouraged and imposes more or
> less security risks.
>
> A further motivation for upgrading to a recent OpenSSL version is that
> the OpenSSL apps like x509
> meanwhile have a significantly improved documentation and offer extended
> options for advanced use.
>
>  ??? David
>
> On 20.09.23 20:08, Viktor Dukhovni wrote:
> > On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via
> openssl-users wrote:
> >
> >> I'm hoping someone can point me in the right direction.
> > Perhaps walk you there step by step...
> >
> >> We have a pem file that a colleague believes contains a private and a
> public key.
> > More likely, a private key and a (public key) X.509 certificate (a
> > certificate is basically a public key enclosed in a singed name binding
> > attestation).
> >
> >> They want to extract the public key from the file and deploy that, so
> >> a 3rd party service can access our system.
> > Typically, the 3rd party would want your certificate, though some are
> > sophisticated enough to directly use a "bare" public key.  The
> > distinction is important, so you need to check *precisely* what they're
> > looking for.
> >
> >> The command they suggested was:
> >> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
> > This extracts a bare public key from the first private key in the PEM
> > file.
> >
> >> The pubkey.pem file that is created only contains the public key and
> >> nothing else, so the 3rd party service can no longer connect to our
> >> system as it doesn't recognise this as a valid certificate and
> >> complained that it was not trusted.
> > This makes no sense, because if they wanted a public key, they got one.
> > If they wanted a certificate, they should have asked for that, and not
> > given you incorrect instructions for getting just the key.  It seems
> > they need as much hand-holding as you do. :-(
> >
> >> I've read through the man pages for pkey and x509 and I've also tried
> >> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
> > This extracts two PEM objects, the "bare" public key *and* the
> > certificate (because you didn't also specify "-noout").
> >
> > And apparently, it was the certificate they were looking for after all.
> >
> >> The 3rd party service can now connect to our system but viewing the
> >> details of the pubkey2.pem file it looks identical to the original
> >> ourcert.pem file.
> > Almost identical, it wouldn't have your private key.
> >
> >> Is pkey or x509 the right way to do this?
> > Apparently "x509", and you don't need the "-pubout" option, that's not
> > what they meant to ask you for.
> >
> >> If it is pkey, how do I extract the public key so that it generates a
> >> valid certificate?
> > This makes no sense.  A public key is not a certificate, and does not
> > contain one.  It is the other way around.
> >
> > --
> >      Viktor.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mta.openssl.org/pipermail/openssl-users/attachments/20230922/907bb401/attachment-0001.htm
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 106, Issue 24
> **********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230926/39dad301/attachment.htm>


More information about the openssl-users mailing list