overriding EVP_PKEY method callbacks for a specific key only

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

overriding EVP_PKEY method callbacks for a specific key only

Selva Nair
Hi,

How to override the evp_pkey_sign method in EVP_PKEY_METHOD structure for a specific key? This is to allow signing with PSS padding using Windows CNG API.  Using rsa_priv_enc() we can only get pre-padded data when PSS is in use, but CNG does not seem to handle padding = none.

Also see issue 7341 on github https://github.com/openssl/openssl/issues/7341

I can use EVP_PKEY_meth_add0() to add a new method struct and that works. But that affect all keys. Is it possible to replace the evp_pkey_sign method on a specific key instance like one can do for RSA or EC methods?

Thanks,

Selva

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: overriding EVP_PKEY method callbacks for a specific key only

Dmitry Belyavsky-3
Well, you can use opaque pointer and own structure containing a flag and switch between native and custom implementations depending on it.

I've tried it and it works

пн, 15 окт. 2018 г., 23:13 Selva Nair <[hidden email]>:
Hi,

How to override the evp_pkey_sign method in EVP_PKEY_METHOD structure for a specific key? This is to allow signing with PSS padding using Windows CNG API.  Using rsa_priv_enc() we can only get pre-padded data when PSS is in use, but CNG does not seem to handle padding = none.

Also see issue 7341 on github https://github.com/openssl/openssl/issues/7341

I can use EVP_PKEY_meth_add0() to add a new method struct and that works. But that affect all keys. Is it possible to replace the evp_pkey_sign method on a specific key instance like one can do for RSA or EC methods?

Thanks,

Selva
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: overriding EVP_PKEY method callbacks for a specific key only

Selva Nair
Hi,

On Mon, Oct 15, 2018 at 4:19 PM Dmitry Belyavsky <[hidden email]> wrote:
Well, you can use opaque pointer and own structure containing a flag and switch between native and custom implementations depending on it.

I've tried it and it works

We do store some state information in the method app_data, so singling out calls for our key is not hard. So, it would be necessary to check this in both sign_init() and sign() and call the default implementations of both as/when required, right? Will test it out.

Is there any plan to expose per-key EVP_PKEY_METHODs in the API?

Thanks,

Selva

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users