On Mon, Nov 15, 2010, Valery Blazhnov wrote: > I need an advice on usind EVP_SignFinal function with two private key > objects stored on two different tokens. I can use two PKCS11 engine > instances to access these objects in low-level functions. But EVP_SignFinal > implementation uses EVP_PKEY_CTX_new(pkey, NULL) call internally to create > internal signing context with NULL engine. Then int_ctx_new function finds > an engine by NID: > e = ENGINE_get_pkey_meth_engine(id); > and users first found engine instance. As a result only first token can be > used for signing. > How can I specify right engine instance for signing context without OpenSSL > source code modifications? >
If the EVP_PKEY structure is set up correctly it should use the appropriate ENGINE contained within it. This will most likely end up being routed through the default EVP_PKEY implementation (as very few new EVP_PKEY implementations currently exist) and through the lower level RSA_METHOD (etc) structure and then through the ENGINE responsible for the private key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
