Hi,
The RSA_METHOD_FLAG_NO_CHECK and RSA_FLAG_EXT_PKEY seem to have similar
meanings. These are the definitions in header files:
# define RSA_METHOD_FLAG_NO_CHECK 0x0001/* don't check pub/private
* match */
/*
* This flag means the private key operations will be handled by rsa_mod_exp
* and that they do not depend on the private key components being present:
* for example a key stored in external hardware. Without this flag
* bn_mod_exp gets called when private key components are absent.
*/
# define RSA_FLAG_EXT_PKEY 0x0020
In both cases, it implies that the private key may not be present, and the code
should not be checked against the public key.
The RSA_METHOD_FLAG_NO_CHECK is checked when setting certificates and private
keys. The RSA_FLAG_EXT_PKEY is checked when doing RSA private key operations
and determines whether rsa_mod_exp() or bn_mod_exp() is called.
So, my question is, should RSA_FLAG_EXT_PKEY (implying the external storage of
the private key) also be used when setting certificates/private keys? Does it
matter?
I’m really looking to start a discussion as to whether these flags have
identical or very-close-to-each-other meanings.
Also, should there be an ECC_FLAG_EXT_PKEY?
This is all in reference to https://github.com/openssl/openssl/pull/2243
Thanks,
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
