Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Jakob Bohm-7
On 17/02/2017 15:25, Stephan Mühlstrasser wrote:
> Hi,
>
> we use OpenSSL 1.0.2 together with PKCS#11 tokens by plugging methods
> into the RSA_METHOD structure that interface with the PKCS#11 token,
> and this works fine so far. However, for creating RSA signatures with
> PSS padding this strategy doesn't work anymore, because OpenSSL wants
> to directly encrypt with the private key in this case, which is not
> possible in PKCS#11.
>
I believe some PKCS#11 tokens can do this by using CKM_RSA_X_509

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser
Am 17.02.17 um 16:09 schrieb Jakob Bohm:

> On 17/02/2017 15:25, Stephan Mühlstrasser wrote:
>> Hi,
>>
>> we use OpenSSL 1.0.2 together with PKCS#11 tokens by plugging methods
>> into the RSA_METHOD structure that interface with the PKCS#11 token,
>> and this works fine so far. However, for creating RSA signatures with
>> PSS padding this strategy doesn't work anymore, because OpenSSL wants
>> to directly encrypt with the private key in this case, which is not
>> possible in PKCS#11.
>>
> I believe some PKCS#11 tokens can do this by using CKM_RSA_X_509

How could that work? If I understand the PKCS#11 specification correctly
it is not possible in principle to use private keys for encryption via
the C_EncryptInit() and C_Encrypt() functions, for the following reasons:

1) Private keys are not allowed to have the CKA_ENCRYPT attribute (see
"Table 30, Common Private Key Attributes" in the PKCS#11 specification,
which does not list the CKA_ENCRYPT attribute).

2) For the C_EncryptInit() to succeed the key must have the attribute
CKA_ENCRYPT=true.

 From the PKCS#11 documentation of C_EncryptInit():

"The CKA_ENCRYPT attribute of the encryption key, which indicates
whether the key supports encryption, must be CK_TRUE."

--
Stephan

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Jakob Bohm-7
On 17/02/2017 16:21, Stephan Mühlstrasser wrote:

> Am 17.02.17 um 16:09 schrieb Jakob Bohm:
>> On 17/02/2017 15:25, Stephan Mühlstrasser wrote:
>>> Hi,
>>>
>>> we use OpenSSL 1.0.2 together with PKCS#11 tokens by plugging methods
>>> into the RSA_METHOD structure that interface with the PKCS#11 token,
>>> and this works fine so far. However, for creating RSA signatures with
>>> PSS padding this strategy doesn't work anymore, because OpenSSL wants
>>> to directly encrypt with the private key in this case, which is not
>>> possible in PKCS#11.
>>>
>> I believe some PKCS#11 tokens can do this by using CKM_RSA_X_509
>
> How could that work? If I understand the PKCS#11 specification
> correctly it is not possible in principle to use private keys for
> encryption via the C_EncryptInit() and C_Encrypt() functions, for the
> following reasons:
>
> 1) Private keys are not allowed to have the CKA_ENCRYPT attribute (see
> "Table 30, Common Private Key Attributes" in the PKCS#11
> specification, which does not list the CKA_ENCRYPT attribute).
>
> 2) For the C_EncryptInit() to succeed the key must have the attribute
> CKA_ENCRYPT=true.
>
> From the PKCS#11 documentation of C_EncryptInit():
>
> "The CKA_ENCRYPT attribute of the encryption key, which indicates
> whether the key supports encryption, must be CK_TRUE."
>
Some token keys on some tokens (think e-mail decryption private keys or
TLS server private keys) intentionally support decryption of a wrapped
symmetric key via PKCS#11 mechanisms such as the one from PKCS1v1.5 or OAEP.

The precise set of such public key operations available is given by the set
of "mechanisms" enumerated by the pkcs11 driver for the individual token.

One of the defined mechanisms (the one confusingly named "X509") appears to
actually be the raw RSA operation, thus allowing it to be repurposed to
implement any RSA scheme (such as PSS, or SHA-256 signatures) that might
be missing on the token iteself.  But this obviously only works for those
tokens that allow this, which varies by token model, token configuration
and PKCS11-driver version.

This obviously isn't possible for all tokens, and thus in general doesn't
solve your original problem for those tokens that support PSS signatures
natively, but not the raw RSA operation.  But it can be helpful for those
tokens that do support the raw RSA operation and expose this ability
through
their PKCS#11 drivers.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser
Jakob,

Am 17.02.17 um 18:43 schrieb Jakob Bohm:

>> ...
> Some token keys on some tokens (think e-mail decryption private keys or
> TLS server private keys) intentionally support decryption of a wrapped
> symmetric key via PKCS#11 mechanisms such as the one from PKCS1v1.5 or
> OAEP.
>
> The precise set of such public key operations available is given by the set
> of "mechanisms" enumerated by the pkcs11 driver for the individual token.
>
> One of the defined mechanisms (the one confusingly named "X509") appears to
> actually be the raw RSA operation, thus allowing it to be repurposed to
> implement any RSA scheme (such as PSS, or SHA-256 signatures) that might
> be missing on the token iteself.  But this obviously only works for those
> tokens that allow this, which varies by token model, token configuration
> and PKCS11-driver version.
>
> This obviously isn't possible for all tokens, and thus in general doesn't
> solve your original problem for those tokens that support PSS signatures
> natively, but not the raw RSA operation.  But it can be helpful for those
> tokens that do support the raw RSA operation and expose this ability
> through
> their PKCS#11 drivers.

thank you for the explanation about the CKM_RSA_X_509 mechanism. I was
not aware of its meaning, and I will study it in more detail. The tokens
that I have access to do provide this mechanism, so I can experiment
with it.

Regarding my original question, does anybody have comments whether and
if so how it is possible to override methods in a EVP_PKEY_METHOD structure?

Thank you.

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Dr. Stephen Henson
In reply to this post by Jakob Bohm-7
On Fri, Feb 17, 2017, Stephan M?hlstrasser wrote:

> Hi,
>
> we use OpenSSL 1.0.2 together with PKCS#11 tokens by plugging
> methods into the RSA_METHOD structure that interface with the
> PKCS#11 token, and this works fine so far. However, for creating RSA
> signatures with PSS padding this strategy doesn't work anymore,
> because OpenSSL wants to directly encrypt with the private key in
> this case, which is not possible in PKCS#11.
>
> Therefore my idea is to override the function pkey_rsa_sign() and
> plug a wrapper around it into the EVP_PKEY_METHOD structure that is
> associated with the EVP_PKEY_CTX to handle this special situation.
>
> The header evp.h declares the following functions among others:
>
> EVP_PKEY_METHOD* EVP_PKEY_meth_new(int id, int flags);
> void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
>
> void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
> int (*sign_init)(EVP_PKEY_CTX *ctx),
> int (*sign)(EVP_PKEY_CTX *ctx, unsigned char *sig,
>             size_t *siglen, const unsigned char *tbs, size_t tbslen));
>
> But I can't figure out how to use these functions to achieve what I
> want, because the following pieces seem to be missing:
>
> - Retrieve the EVP_PKEY_METHOD pointer from a EVP_PKEY_CTX pointer
> - Set the EVP_PKEY_METHOD pointer for a EVP_PKEY_CTX pointer
> - Retrieve the existing "sign_init" and "sign" function pointers
> from an initialized EVP_PKEY_METHOD pointer for being able to wrap
> them
>
> Is it possible to override methods in an EVP_PKEY_METHOD structure,
> or would it be necessary to implement a whole OpenSSL engine to do
> what I want?
>

It should be possible yes, though AFAIK no one has yet tried to do this so
there may be some pieces missing.

In outline you'd retrieve the appropriate EVP_PKEY_METHOD for the algorithm of
interest, make a copy of it and then set the operation you wish to override,
you can also retrieve the original operation in case you sometimes wish to
call that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser
Steve,

Am 25.02.17 um 05:53 schrieb Dr. Stephen Henson:

> On Fri, Feb 17, 2017, Stephan M?hlstrasser wrote:
> ...
>> Is it possible to override methods in an EVP_PKEY_METHOD structure,
>> or would it be necessary to implement a whole OpenSSL engine to do
>> what I want?
>>
>
> It should be possible yes, though AFAIK no one has yet tried to do this so
> there may be some pieces missing.
>
> In outline you'd retrieve the appropriate EVP_PKEY_METHOD for the algorithm of
> interest, make a copy of it and then set the operation you wish to override,
> you can also retrieve the original operation in case you sometimes wish to
> call that.

thanks for confirming that this should be possible in principle.

I guess my problem was that I thought one must retrieve the
EVP_PKEY_METHOD from the EVP_PKEY_CTX pointer. As you are saying it must
be retrieved for the algorithm, I think I understood now that it must be
fetched via EVP_PKEY_meth_find().

Is the following sketch roughly appropriate?

int my_sign_init_function(EVP_PKEY_CTX *ctx);
int my_sign_function(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t
*siglen, const unsigned char *tbs, size_t tbslen);

const EVP_PKEY_METHOD *rsa_meth = EVP_PKEY_meth_find(EVP_PKEY_RSA);
EVP_PKEY_METHOD *new_rsa_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0);
EVP_PKEY_meth_copy(new_rsa_meth, rsa_meth);
EVP_PKEY_meth_set_sign(new_rsa_meth, my_sign_init_function,
my_sign_function);
EVP_PKEY_meth_add0(new_rsa_meth);

What is still unclear to me is how to retrieve the original function
pointers from the EVP_PKEY_METHOD. EVP_PKEY_METHOD is an opaque
structure, and I could not find a getter counterpart for
EVP_PKEY_meth_set_sign().

How is it supposed to be possible to retrieve the original operations
from an EVP_PKEY_METHOD pointer?

Thanks.

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Dr. Stephen Henson
On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:

> Steve,
>
> Am 25.02.17 um 05:53 schrieb Dr. Stephen Henson:
> >On Fri, Feb 17, 2017, Stephan M?hlstrasser wrote:
> >...
> >>Is it possible to override methods in an EVP_PKEY_METHOD structure,
> >>or would it be necessary to implement a whole OpenSSL engine to do
> >>what I want?
> >>
> >
> >It should be possible yes, though AFAIK no one has yet tried to do this so
> >there may be some pieces missing.
> >
> >In outline you'd retrieve the appropriate EVP_PKEY_METHOD for the algorithm of
> >interest, make a copy of it and then set the operation you wish to override,
> >you can also retrieve the original operation in case you sometimes wish to
> >call that.
>
> thanks for confirming that this should be possible in principle.
>
> I guess my problem was that I thought one must retrieve the
> EVP_PKEY_METHOD from the EVP_PKEY_CTX pointer. As you are saying it
> must be retrieved for the algorithm, I think I understood now that
> it must be fetched via EVP_PKEY_meth_find().
>
> Is the following sketch roughly appropriate?
>
> int my_sign_init_function(EVP_PKEY_CTX *ctx);
> int my_sign_function(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t
> *siglen, const unsigned char *tbs, size_t tbslen);
>
> const EVP_PKEY_METHOD *rsa_meth = EVP_PKEY_meth_find(EVP_PKEY_RSA);
> EVP_PKEY_METHOD *new_rsa_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0);
> EVP_PKEY_meth_copy(new_rsa_meth, rsa_meth);
> EVP_PKEY_meth_set_sign(new_rsa_meth, my_sign_init_function,
> my_sign_function);
> EVP_PKEY_meth_add0(new_rsa_meth);
>
> What is still unclear to me is how to retrieve the original function
> pointers from the EVP_PKEY_METHOD. EVP_PKEY_METHOD is an opaque
> structure, and I could not find a getter counterpart for
> EVP_PKEY_meth_set_sign().
>
> How is it supposed to be possible to retrieve the original
> operations from an EVP_PKEY_METHOD pointer?
>

Ah I see you're using OpenSSL 1.0.2. There isn't a way to get the existing
function pointers in 1.0.2, the "getter" functions are only in 1.1.0.

There shouldn't be any need to add the method to the list: it should be
possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
or implemented in an ENGINE). I say *should* because there doesn't seem to be
currently a way to do that without changing EVP_PKEY internal fields (which
isn't possible in 1.1.0 anyway).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser
Am 27.02.17 um 15:34 schrieb Dr. Stephen Henson:
> On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:

>> How is it supposed to be possible to retrieve the original
>> operations from an EVP_PKEY_METHOD pointer?
>>
>
> Ah I see you're using OpenSSL 1.0.2. There isn't a way to get the existing
> function pointers in 1.0.2, the "getter" functions are only in 1.1.0.

Ok, I looked at the evp.h header in the 1.1.0 branch, and there I can
see the getter functions. So I understand that I would have to backport
those getter functions to the 1.0.2 branch in my repository if I wanted
to use them with 1.0.2.

> There shouldn't be any need to add the method to the list: it should be
> possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
> or implemented in an ENGINE). I say *should* because there doesn't seem to be
> currently a way to do that without changing EVP_PKEY internal fields (which
> isn't possible in 1.1.0 anyway).

I'm sorry, I don't get what you are trying to tell me in the above
paragraph. Are you talking about an alternative way to set up the
methods in the EVP_PKEY_METHOD structure?

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Dr. Stephen Henson
On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:

> Am 27.02.17 um 15:34 schrieb Dr. Stephen Henson:
>
> >There shouldn't be any need to add the method to the list: it should be
> >possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
> >or implemented in an ENGINE). I say *should* because there doesn't seem to be
> >currently a way to do that without changing EVP_PKEY internal fields (which
> >isn't possible in 1.1.0 anyway).
>
> I'm sorry, I don't get what you are trying to tell me in the above
> paragraph. Are you talking about an alternative way to set up the
> methods in the EVP_PKEY_METHOD structure?
>

Well this is by analogy with how the other algorithm specific methods work.

With RSA_METHOD et al there are two ways to provide your own mechanisms for
operations.

If it's a general purpose mechanism (e.g. a crypto accelerator) which should
perform all RSA operations you can provide the default method.

If you want to only affect certain keys (e.g. those tied to a specific HSM)
you *can* do this via the default method and just check each key as it goes
through (e.g. some ex_data attached to it) and only handle those of interest
passing the rest to the default operation.

There is an alternative way. You create a custom method and set that as the
key's internal method. Then any existing keys use the default method as usual
but the keys you care about go through the custom method.

For EVP_PKEY_METHOD you can provide the default implementation for an
algorithm but unfortunately there is no way to provide a key specific method
which is transparently used.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

Stephan Mühlstrasser
Am 27.02.17 um 16:33 schrieb Dr. Stephen Henson:

> On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:
>
>> Am 27.02.17 um 15:34 schrieb Dr. Stephen Henson:
>>
>>> There shouldn't be any need to add the method to the list: it should be
>>> possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
>>> or implemented in an ENGINE). I say *should* because there doesn't seem to be
>>> currently a way to do that without changing EVP_PKEY internal fields (which
>>> isn't possible in 1.1.0 anyway).
>>
>> I'm sorry, I don't get what you are trying to tell me in the above
>> paragraph. Are you talking about an alternative way to set up the
>> methods in the EVP_PKEY_METHOD structure?
>>
>
> Well this is by analogy with how the other algorithm specific methods work.
>
> With RSA_METHOD et al there are two ways to provide your own mechanisms for
> operations.
>
> If it's a general purpose mechanism (e.g. a crypto accelerator) which should
> perform all RSA operations you can provide the default method.
>
> If you want to only affect certain keys (e.g. those tied to a specific HSM)
> you *can* do this via the default method and just check each key as it goes
> through (e.g. some ex_data attached to it) and only handle those of interest
> passing the rest to the default operation.
>
> There is an alternative way. You create a custom method and set that as the
> key's internal method. Then any existing keys use the default method as usual
> but the keys you care about go through the custom method.
>
> For EVP_PKEY_METHOD you can provide the default implementation for an
> algorithm but unfortunately there is no way to provide a key specific method
> which is transparently used.

Ok, thank you for this explanation! I will try to make sense of this and
I will see whether I am able to map this to the corresponding API calls
and data structures...

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...