Salz, Rich wrote:
[SNIP]
I would like to request external applications to be able to change method -
see attached patch "0009-access-EC_KEY-method-property.patch".
Can you say how this would be used? Since the key method is opaque...
Yes but a number of functions (see below) allow implementation as
external to openssl cryptographic module:
$ grep EC_KEY_ME util/libeay.num
EC_KEY_METHOD_set_compute_key 50601_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_verify50641_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_init 50651_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_init 50711_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_keygen50721_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_free 50731_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_new 50741_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_sign 50761_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_set_keygen50781_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_verify50791_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_sign 50811_1_0 EXIST::FUNCTION:EC
EC_KEY_METHOD_get_compute_key 50821_1_0 EXIST::FUNCTION:EC
I have working prototype that use... _new, ..._init, ..._sing and
..._verify.
A cryptographic module (engine) could be registered a method as
default. In general engine that use externally stored keys should refuse
to be register methods as default.
Lets engine load method use d2i_PUBKEY to decode "external" der encoded
public key.
Result is EVP_KEY with KEY(public) with default method.
1) If default method match engine method then application could
register(associate) extra data with key and to finish loading.
2) If methods differ then application:
a)
could create new key with FOO_new_method(ENGINE)
to duplicate public part to "new key"
to associate "new key" to EVP_KEY with EVP_PKEY_set1_FOO
b)
could change key method
must associate engine with key
After above may register(associate) extra data with key and finally to
finish loading.
Proposed patch adds EC_KEY_get_method that could be used in 1). It seems
to me this is required part.
Under question is EC_KEY_set_method.
If a) recommended then EC_KEY_set_method is useless. I could drop from
patch.
If b) is acceptable then in addition to EC_KEY_set_method API must
support set engine method for opaque keys.
a) requires more memory, i.e. code to transfer(recreate) public key with
engine
b) it is simple. For instance for rsa keys we could write:
RSA_set_method(pkey_rsa, meth);
pkey_rsa->engine = eng;
ENGINE_up_ref(eng);
Let me know how to proceed with this request.
Roumen Petrov
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev