On Sat, Mar 19, 2011, Strecker, Dean A. wrote: > Steve, > > Thank you for your response for creating an elliptic curve key (EC_KEY). > It worked well. I'm not sure what the difference between > EC_POINT_set_affine_coordinates_GFp and > EC_POINT_set_affine_coordinates_GF2m. Time for some research. > > In the same vein of using an HSM for creating the elliptic key, I would > like to use the HSM for signing data. In particular, I want to sign > X509 certs. I have studied code for X509_sign. I think I can use > ASN1_ITEM_rptr and ASN1_item_i2d to extract the certificate data to be > signed by the HSM. I have not figured out how to save r and s from the > HSM and set appropriate cert info(e.g., algorithm) for correctly signing > the cert. >
This needs to be done via an ENGINE. You currently can't redirect signing calls for EC in all operations[*] but you can for RSA, DSA. You don't mess around with ASN1_item or anything like that: the data to be signed is sent to a callback and you send back the signed data. Steve. [*] It is possible through the EVP_PKEY API which is used for signing certificates but it isn't currently used for SSL/TLS. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org