On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote: > On 12/10/15, 12:32 , "openssl-dev on behalf of Dr. Stephen Henson" > <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote: > > >The reason for that is because the -engine option sets the ENGINE to use > >for > >everything and the PKCS#11 ENGINE doesn't support that public key method. > > I???m afraid I don???t understand. What good is a PKCS#11 engine if it > doesn???t > support at least ???sign??? and ???decrypt??? methods? >
It does provide a method but it's not of the type pkeyutl needs. There are two separate levels of method in use one is a higher level using the EVP_PKEY and the other a lower level using RSA_METHOD. It is the latter which the engine (in common with most others) uses. Currently when you use the -engine argument to pkeyutl it tries to use the EVP_PKEY method from the engine which doesn't exist. You want it to use OpenSSL for the EVP_PKEY method which then gets redirected at a lower level using the engines RSA_METHOD. > >What we need is a way to load the private key from an ENGINE but not > >attempt > >to use that for the actual operations. > > Could you please clarify what you mean by ???load the private key???? > I mean request an EVP_PKEY structure for the key from the engine: this does not necessartily load physical key components. Typically it will store the handle of the key in the structure and include a method which redirects operations through the engine. > >Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL > >in pkeyutl.c > > With your proposed (temporary) fix, the signature both generated and > verified successfully (see below). Could I ask to push this fix to the > master, and maybe/hopefully to 1_0_2 branch? > As I indicated the fix I suggested it temporary. Sometimes a user will want that behaviour so we'd need a new command line option indicating the private key engine only. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
