Re: [openssl-users] Implementing ECDSA in an engine
On Fri, Jun 26, 2015, Reinier Torenbeek wrote: > > The mechanism for implementing ECDSA in my own engine is unclear to me. > Unfortunately, none of the example engines implement ECDSA so it is hard > for me to find answers. > > Invoking ENGINE_set_ECDSA() does not seem to be sufficient: my setup, > sign and verify methods never get invoked. > There are two separate ways you can implement a public key algorithm in an ENGINE. The first is a default method which is then used for every single operation. This is most suited to cryptographic accelerators. The second is a key specific method which is utilised for some (and maybe not all) operations on one key. This would be most suited for a smart card for example where signing might be performed by the card but verification performed by OpenSSL itself. The second form isn't well supported for ECDSA at present though you can sort of get that functionality using the first technique. That will be fixed at some point most likely in the master branch for OpenSSL 1.1.0. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] S/MIME Mails signed with SHA256 certificate and/or SHA256 Hash
Hello, has anybody got a reliable source or knowledge about which mail clients - especially which Thunderbird release - should be capable of verifying such mails correctly? this openssl smime -verify -CAfile trusted.crt -in mail.eml successfully verifies such an e-Mail; Thanks, Walter -- Best regards, Ing. Walter Höhlhubmer smime.p7s Description: S/MIME Cryptographic Signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Implementing ECDSA in an engine
Hello Reinier, No, I do not. And may be for your purposes you can use this or that ECDSA_METHOD setting it into the EC_KEY struct. On Fri, Jun 26, 2015 at 9:09 PM, Reinier Torenbeek < reinier.torenb...@gmail.com> wrote: > Hi Dmitry, > > Thanks for the response. I suppose I have to do the same thing as well > then. > > I wonder why the ECDSA_METHOD structure and the associated mechanism to > insert it into an engine is so much different from the DSA_METHOD struct. > The latter seems more straightforward to use and does not require the whole > custom PKEY to be set up. Do you know? > > Best regards, > Reinier > > > On 6/26/15 12:51 PM, Dmitry Belyavsky wrote: > > Hello Reinier, > > On Fri, Jun 26, 2015 at 7:47 PM, Reinier Torenbeek < > reinier.torenb...@gmail.com> wrote: > >> Hi, >> >> The mechanism for implementing ECDSA in my own engine is unclear to me. >> Unfortunately, none of the example engines implement ECDSA so it is hard >> for me to find answers. >> >> Invoking ENGINE_set_ECDSA() does not seem to be sufficient: my setup, >> sign and verify methods never get invoked. Stepping through the openssl >> code, it looks like I also need to register my own EVP_PKEY_EC method. >> That looks pretty complicated and I do not understand why that is >> required in the first place if I only want to replace the ECDSA signing >> and verification methods. >> >> Can someone confirm that registering my own EVP_PKEY_EC method is indeed >> the approach I have to take, or is there a shorter path to achieve my >> goal? >> > > I did not find a way shorter then provide own EVP_PKEY_METHOD. But it > works for me this way. > > -- > SY, Dmitry Belyavsky > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- SY, Dmitry Belyavsky ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Implementing ECDSA in an engine
Hi Dmitry, Thanks for the response. I suppose I have to do the same thing as well then. I wonder why the ECDSA_METHOD structure and the associated mechanism to insert it into an engine is so much different from the DSA_METHOD struct. The latter seems more straightforward to use and does not require the whole custom PKEY to be set up. Do you know? Best regards, Reinier On 6/26/15 12:51 PM, Dmitry Belyavsky wrote: > Hello Reinier, > > On Fri, Jun 26, 2015 at 7:47 PM, Reinier Torenbeek > mailto:reinier.torenb...@gmail.com>> wrote: > > Hi, > > The mechanism for implementing ECDSA in my own engine is unclear > to me. > Unfortunately, none of the example engines implement ECDSA so it > is hard > for me to find answers. > > Invoking ENGINE_set_ECDSA() does not seem to be sufficient: my setup, > sign and verify methods never get invoked. Stepping through the > openssl > code, it looks like I also need to register my own EVP_PKEY_EC method. > That looks pretty complicated and I do not understand why that is > required in the first place if I only want to replace the ECDSA > signing > and verification methods. > > Can someone confirm that registering my own EVP_PKEY_EC method is > indeed > the approach I have to take, or is there a shorter path to achieve > my goal? > > > I did not find a way shorter then provide own EVP_PKEY_METHOD. But it > works for me this way. > > -- > SY, Dmitry Belyavsky > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Implementing ECDSA in an engine
Hello Reinier, On Fri, Jun 26, 2015 at 7:47 PM, Reinier Torenbeek < reinier.torenb...@gmail.com> wrote: > Hi, > > The mechanism for implementing ECDSA in my own engine is unclear to me. > Unfortunately, none of the example engines implement ECDSA so it is hard > for me to find answers. > > Invoking ENGINE_set_ECDSA() does not seem to be sufficient: my setup, > sign and verify methods never get invoked. Stepping through the openssl > code, it looks like I also need to register my own EVP_PKEY_EC method. > That looks pretty complicated and I do not understand why that is > required in the first place if I only want to replace the ECDSA signing > and verification methods. > > Can someone confirm that registering my own EVP_PKEY_EC method is indeed > the approach I have to take, or is there a shorter path to achieve my goal? > I did not find a way shorter then provide own EVP_PKEY_METHOD. But it works for me this way. -- SY, Dmitry Belyavsky ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Implementing ECDSA in an engine
Hi, The mechanism for implementing ECDSA in my own engine is unclear to me. Unfortunately, none of the example engines implement ECDSA so it is hard for me to find answers. Invoking ENGINE_set_ECDSA() does not seem to be sufficient: my setup, sign and verify methods never get invoked. Stepping through the openssl code, it looks like I also need to register my own EVP_PKEY_EC method. That looks pretty complicated and I do not understand why that is required in the first place if I only want to replace the ECDSA signing and verification methods. Can someone confirm that registering my own EVP_PKEY_EC method is indeed the approach I have to take, or is there a shorter path to achieve my goal? Is this the right list to ask questions about engine implementations? Or would using openssl-dev be more appropriate? Thanks, Reinier ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Call for FIPS 140-2 stakeholders
I'm not currently interested in the given platforms, and while I really hope to never be interested again, I can't rule it out. It'd be nice to be able to follow the discussions, without necessarily contributing. But I also understand I if those involved don't want to include those in my position, since I can just read your updates, and accept them without knowing all the reasons behind it. :) I'm ok either way. TOM -- Preserve wildlife -- pickle a squirrel! > On Jun 22, 2015, at 11:27 AM, Steve Marquess wrote: > > If you don't know or care about FIPS 140-2 then count yourself very > lucky and move on. > > In the same spirit of collaboration that underlies all of the open > source based OpenSSL FIPS Object Module validations, of which the #1747 > validation is the latest, some of the stakeholders impacted by the > recent "hostage" issue[*] are discussing possible responses among > themselves. I have been told they would like to reach out to other > "interested impacted customers". We know who some of these are, but > there will be many more users of the #1747 validation on those platforms > we don't know about. > > If you are a such a stakeholder and would like to participate in those > discussions please let me know (contact info below) and I'll make the > appropriate introductions. > > -Steve M. > > [*] see http://openssl.com/fips/aftermath.html > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] New FIPS 140-2 "SE" Validation Approved
If you don't know or care what FIPS 140-2 is, a hysterical giggle of pure delight and whoop of relief before moving on is fully justified. The "SE" (Salavge Edition) validation has been approved: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398 This actually appeared on the evening of the 24th or morning of the 25th, but then disappeared for several hours, and had a broken link to the Security Policy for a few hours after that. So I waited a day before concluding it was here to stay. The SE validation is one of the two "1A SUB" validations intended to "ransom"[*] the "hostage"[**] platforms in the #1747 validation. The other RE validation has not yet been approved, although it differs from the SE one by exactly six characters and was submitted at the same time. With the "execution" of the "hostages" anyway[***] these two new validations may be superfluous. We're not entirely sure and are trying to figure out what the bureaucracy will and won't do with new "change letter" updates. We've submitted a change letter update for revision 2.0.10 against both the #1747 and #2398 validations, so time will tell. The four presumed clerical errors in the list of #1747 survivors (the "Big Blob o' Text) have still not been corrected after 11 days, nor do we have any indication that they are not accidental typos. I'm still assuming clerical error, but we won't know for sure until we get some sort of response. -Steve M. [*] http://openssl.com/fips/ransom.html [**] http://openssl.com/fips/hostage.html [***] http://openssl.com/fips/aftermath.html -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
