Dynamically adding a NID

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Dynamically adding a NID

Nicola Tuveri
Hi,

I'm working on ENGINE development, and I have the need to add an NID for a custom message digest, and eventually for ciphers and PKEY methods.
Some of the associated object don't (and won't ever) have an associated OID, but I need to add them dynamically to avoid requiring patches to the upstream OpenSSL code before being able to use my engine.

I'm currently (ab)using OBJ_create() [0], but it looks like it requires to specify a valid OID.
I know it is possible to have NIDs associated with objects without OID (e.g. NID_siphash) when they are statically defined in OpenSSL source code, but I cannot find a way to declare similar objects without OID dynamically.

Before 1.1.0, when structures weren't opaque, I could manipulate the contents of the created object directly and somehow work around this limitation, but in 1.1.0 this is not possible.

Does anyone know of the right way to dynamically create an NID associated with an object without OID?

Thanks.

Nicola



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dynamically adding a NID

OpenSSL - Dev mailing list

You can get an OID arc of your own for free.  And then you can use real OID’s which you just “throw away”

 

See https://en.wikipedia.org/wiki/Private_Enterprise_Number

 


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dynamically adding a NID

Dr. Stephen Henson
In reply to this post by Nicola Tuveri
On Mon, Jun 26, 2017, Nicola Tuveri wrote:

> Hi,
>
> I'm working on ENGINE development, and I have the need to add an NID for a
> custom message digest, and eventually for ciphers and PKEY methods.
> Some of the associated object don't (and won't ever) have an associated
> OID, but I need to add them dynamically to avoid requiring patches to the
> upstream OpenSSL code before being able to use my engine.
>
> I'm currently (ab)using OBJ_create() [0], but it looks like it requires to
> specify a valid OID.
> I know it is possible to have NIDs associated with objects without OID
> (e.g. NID_siphash) when they are statically defined in OpenSSL source code,
> but I cannot find a way to declare similar objects without OID dynamically.
>
> Before 1.1.0, when structures weren't opaque, I could manipulate the
> contents of the created object directly and somehow work around this
> limitation, but in 1.1.0 this is not possible.
>
> Does anyone know of the right way to dynamically create an NID associated
> with an object without OID?
>

What do you want to do with the NID? Does it need to have a valid short name
and/or long name associated with it (so OBJ_sn2nid etc work) but no valid OID
or do you just need a NID value?

You're right that currently OBJ_create() needs a valid OID passed to it: you
can't pass a NULL to create an "OIDless NID" as you can by editing
objects.txt.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dynamically adding a NID

Nicola Tuveri
What do you want to do with the NID? Does it need to have a valid short name
and/or long name associated with it (so OBJ_sn2nid etc work) but no valid OID
or do you just need a NID value?

You're right that currently OBJ_create() needs a valid OID passed to it: you
can't pass a NULL to create an "OIDless NID" as you can by editing
objects.txt.


Yes, that is exactly what I'm trying to achieve, an "OIDless OBJ", with NID, shortname and long name associated, but I would need to do that without editing objects.txt (requiring patching and recompilation for anyone willing to use my engine).

I tried using OBJ_create() with NULL or an empty string for the OID, but currently it checks that the given OID is actually a valid one. Is there any workaround to avoid this other than issuing my own OID?


Thanks,

Nicola Tuveri

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dynamically adding a NID

OpenSSL - Dev mailing list
> I tried using OBJ_create() with NULL or an empty string for the OID, but currently it checks that the given OID is actually a valid one. Is there any workaround to avoid this other than issuing my own OID?

No.  Just get an OID ARC, such as from the IETF Enterprise MIB [it's free] and throw it away.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dynamically adding a NID

Dr. Stephen Henson
On Sun, Jul 02, 2017, Salz, Rich via openssl-dev wrote:

> > I tried using OBJ_create() with NULL or an empty string for the OID, but currently it checks that the given OID is actually a valid one. Is there any workaround to avoid this other than issuing my own OID?
>
> No.  Just get an OID ARC, such as from the IETF Enterprise MIB [it's free] and throw it away.

If you create object without an OID it stops it being encoded or decoded as an
ASN1_OBJECT: this is sometimes useful. Unfortunately there is currently no way
to do this with OBJ_create().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...