How to swap engines / register functionality on the fly

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to swap engines / register functionality on the fly

axisofevil
I would like to use default implementations for some ECC operations but the OpenSC pkcs11 engine for other ECDSA operations.

At a high level I have a Sign() & a Verify() in one app on a server - the Sign() needs to be done via a HSM using PKCS11 interface, using EVP functions. Keys for these operations differ.

For system design reasons I want to do Verify() using default implementations, no HSM involved. This Verify currently uses  EC_KEY_new() and ECDSA_do_verify(). Even if I wanted HSM to do this I was getting some fips errors despite turning off fips.

My thinking was to  register the pkcs11 ECDSA functionality JUST  before the Sign():
if ( 1 != ( rc = ENGINE_register_ECDSA(HSM_ENGINE_pkcs11())))
then just after
ENGINE_unregister_ECDSA(HSM_ENGINE_pkcs11());

This is getting to the fringe of my understanding; any guidance is much appreciated.


Reply | Threaded
Open this post in threaded view
|

Re: How to swap engines / register functionality on the fly

Dr. Stephen Henson
On Thu, Mar 27, 2014, axisofevil wrote:

> I would like to use default implementations for some ECC operations but the
> OpenSC pkcs11 engine for other ECDSA operations.
>
> At a high level I have a Sign() & a Verify() in one app on a server - the
> Sign() needs to be done via a HSM using PKCS11 interface, using EVP
> functions. Keys for these operations differ.
>
> For system design reasons I want to do Verify() using default
> implementations, no HSM involved. This Verify currently uses  EC_KEY_new()
> and ECDSA_do_verify(). Even if I /wanted/ HSM to do this I was getting some
> fips errors despite turning off fips.
>
> My thinking was to  register the pkcs11 ECDSA functionality JUST  before the
> Sign():
> if ( 1 != ( rc = ENGINE_register_ECDSA(HSM_ENGINE_pkcs11())))
> then just after
> ENGINE_unregister_ECDSA(HSM_ENGINE_pkcs11());
>
> This is getting to the fringe of my understanding; any guidance is much
> appreciated.
>

If the ENGINE only needs to support HSM private keys then you shouldn't
register any methods at all. Calling ENGINGE_load_private_key should get
you the appropriate EVP_PKEY structure internally set to redirect operations
as appropriate.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to swap engines / register functionality on the fly

axisofevil
Makes sense, thanks. However, at EVP_DigestSignFinal(mdctx, sig_der, &sig_len)

I get
rc: 0 error:2606C043:engine routines:ENGINE_FREE_UTIL:passed a null parameter

( I had had this before ). Parms for EVP_DigestSignFinal seem OK.
Reply | Threaded
Open this post in threaded view
|

Re: How to swap engines / register functionality on the fly

axisofevil
Well , now this one:

HSM_Sign EVP_DigestSignFinal FAIL rc: 0 error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library.

However I have a separate test app that does not exhibit this [ the test app just does one signing, using HSM ].
Reply | Threaded
Open this post in threaded view
|

Re: How to swap engines / register functionality on the fly

axisofevil
I call a EVP-based verify function (that works), I then call a HSM/dynamic/OpenSC/pkcs11-based sign function ( works too ) , but then a second call to my verify functions complains with

ecc_ssl_gen_EC_KEY EC_KEY_generate_key FAIL error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure

I'm concluding something in the sign() is causing this but have no clue. I do set fips off too.

openssl version -> OpenSSL 1.0.1e-fips 11 Feb 2013