On Mon, Aug 28, 2017, Brett R. Nicholas wrote: > > The rsa_mod_exp function is only called for private key operations. You > > can't > > tell if it is a private encrypt or a private decrypt though but that > > shouldn't matter because the operation performed at that level is the same > > for > > both. > > Ah, I see. So to clarify (pls correct me if I'm wrong): > > * rsa_mod_exp() is the modular exponentiation function that openSSL will > attempt to use for all private key operations (if RSA_FLAG_EXT_PKEY is set, > or the private parameters of that method are non-null), before defaulting to > bn_mod_exp(). > * And bn_mod_exp() is the modular exponentiation function used by all > public key operations > > > So in my case, I should set RSA_FLAG_EX_PKEY in my engine's RSA_METHOD > struct, and then implement my own versions of rsa_mod_exp (for the private > key encryption/decryption), and bn_mod_exp (for the public key > encryption/decryption). > >
Yes. Note also that if you set the public key components (n, e) you don't need to perform the public key operations in your ENGINE if you keep the original bn_mod_exp(): OpenSSL will do them for you. If possible you should set the public key components anyway: some operations such as generating certificate requests require them to be present. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev