On Tue, Nov 16, 2010, Valery Blazhnov wrote: > 15.11.2010 19:55, Dr. Stephen Henson ??????????: >> On Mon, Nov 15, 2010, Valery Blazhnov wrote: >> >>> I need an advice on usind EVP_SignFinal function with two private key >>> objects stored on two different tokens. I can use two PKCS11 engine >>> instances to access these objects in low-level functions. But >>> EVP_SignFinal >>> implementation uses EVP_PKEY_CTX_new(pkey, NULL) call internally to >>> create >>> internal signing context with NULL engine. Then int_ctx_new function >>> finds >>> an engine by NID: >>> e = ENGINE_get_pkey_meth_engine(id); >>> and users first found engine instance. As a result only first token can >>> be >>> used for signing. >>> How can I specify right engine instance for signing context without >>> OpenSSL >>> source code modifications? >>> >> If the EVP_PKEY structure is set up correctly it should use the >> appropriate >> ENGINE contained within it. This will most likely end up being routed >> through >> the default EVP_PKEY implementation (as very few new EVP_PKEY >> implementations >> currently exist) and through the lower level RSA_METHOD (etc) structure >> and >> then through the ENGINE responsible for the private key. >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> > Even if EVP_PKEY structure contains correct pointer to corresponding engine > instance then int_ctx_new function ignores it and finds an engine by NID. > Unfortunately there is no "if (pkey->engine) { e = pkey->engine; ... }" > branch inside int_ctx_new function. Would'nt you like to add it there? >
Ah that's a bug which I'll fix. However there can't be many (any?) PKCS#11 ENGINEs that implement their own EVP_PKEY_METHOD, they will (almost?) always have their own RSA_METHOD, DSA_METHOD etc which will get routed to the correct ENGINE through the lower level APIs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
