Re: [openssl-users] Loading RSA private key from ENGINE

[Ignacio Alamo Corsino]

Hello Fabrizio,


actually the whole private key and all its components are not loaded with 
ENGINE_load_private_key. Only a part of them (modulus and public exponent).

These components are enough to, for example, make a key/certificate match 
verification.


Once a private key operation is needed (ex. signature) then your custom RSA 
method will be called because the key that you have previously loaded

is not able to perform that kind of operations. Depending on how you have 
written your method, one function or another will be called (rsa_sign or 
RSA_private_encrypt).


If you have loaded your engine correctly, the SSL methods will know when to 
call your rsa methods to perform their operations.


Regards,


Ignacio



De: openssl-users  en nombre de 
hoku...@gmx.ch 
Enviado: miércoles, 15 de noviembre de 2017 9:37
Para: openssl-users@openssl.org
Asunto: [openssl-users] Loading RSA private key from ENGINE

I am currently exporing the ENGINE capabilities. The examples are quite clear 
about how to link OpenSSL with methods that are available in a hardware module:
- implement RSA_METHOD in MyEngine, e.g. rsaSign() wich calls rsaSign_HW()
- ENGINE_register_RSA(MyEngine)
--> OpenSSL will then automatically call that method when rsa signing is 
required.

So far, so good.

The gap in my understanding is how to access the private key. Assumimg that my 
hardware module contains a list of private keys, which cannot and shall not be 
exported, they will be referenced by some opaque reference or id, e.g "KEY_1"

rsaSign_HW(dataToSign,"KEY_1")

Now I need some way to configure SSL_CTX with "KEY_1" instead of the "real" key.
I'm thinking of some pseudo-code in the way:

SSL_CTX_use_certificate(ctx, cert)  // certificate from PEM file as usual
SSL_CTX_use_PrivateKeyReferenceForEngine(ctx, "KEY_1")

Also there is a engine interface that looks promising, as takes some arbitrary 
keyId as parameter

privKey = ENGINE_load_private_key(MyEngine, "KEY_1")

.. but as far as I understand, it returns the "real" key, which is not 
exportable.

Am I completety on the wrong track? What is the recommended technique?
Thanks for any suggestion

Fabrizio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] confusion with rsa_meth_st in a custom RSA engine

[Ignacio Alamo Corsino]

Hello Brett,


First, to your comment: "I'm just confused as to at what point in the RSA 
encryption/decryption process my engine should be invoked at":

It really depends on how your hardware performs the operations.


I mean, you are right, if you set RSA_FLAG_EXT_PKEY  then you only have to 
rewrite rsa_mod_exp but you have to make sure that you are at the right spot 
when your

hardware jumps in.

This is (more or less) the workflow for RSA signing:

(obtain digest) -> RSA_sign (makes pkcs1 encoding) -> RSA_private_encrypt 
(makes padding and blinding) -> rsa_mod_exp (with flag) or bn_mod_exp (without)

Each step makes different operations before calling the next function. So if 
your hardware takes care of the pkcs1 encoding and so on, then you should 
overwrite RSA_sign
(using the RSA_FLAG_SIGN_VER flag) but if you are sure that it only performs 
the rsa_mod_exp operations then go ahead and rewrite it with your userspace API.

I found really helpful to read the OpenSSL default rsa_method to see how RSA 
works: /crypto/rsa/rsa_ossl.c

Sorry if I could not directly answer your question on which method you should 
overwrite but I hope this info helps you to find out.

Regards,

Ignacio


De: openssl-users  en nombre de Brett R. 
Nicholas 
Enviado: miércoles, 23 de agosto de 2017 3:44
Para: openssl-users@openssl.org
Asunto: [openssl-users] confusion with rsa_meth_st in a custom RSA engine


I am trying to develop a engine for a custom RSA hardware accelerator, and have 
a few questions about the RSA_METHOD stucture implementation.


Some context: for encryption, my accelerator takes as inputs the base, public 
exponent, and modulus, and returns the resulting ciphertext. For decryption, it 
takes as inputs the base, and modulus. It does not need a private key, as this 
is stored in hardware, and can only be configured through an out-of-band 
channel. I already have a kernel module that exposes an API to userspace 
programs to use the accelerator. Now I just need to integrate it into openSSL.


I've already created a similar engine for AES and SHA256, however I'm 
struggling with RSA. Ideally, I'd like to not have to worry about anything 
other than just performing the modular exponentiation on a pre-padded and 
prepared chunk of data. For SHA and AES, this is straightforward: all that was 
taken care of by the EVP interface, so all I needed to worry about was getting 
the data two and from my accelerators. But it doesn't appear to be as simple 
for RSA (pls correct me if I'm wrong).


I'm confused as to which RSA_METHOD function pointers that my engine needs to 
implement.  I show the structure below for reference:

struct rsa_meth_st {
char *name;
int (*rsa_pub_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_pub_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_priv_enc) (int flen, const unsigned char *from,
 unsigned char *to, RSA *rsa, int padding);
int (*rsa_priv_dec) (int flen, const unsigned char *from,
 unsigned char *to, RSA *rsa, int padding);

int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);

int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
   const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
/* stuff */
int flags;
/*  stuff ... */
};  // TYPEDEF'ED TO RSA_METHOD in include/ossl_typ.h


So, three questions:


  1.  Is it possible for the standard OpenSSL RSA implementation to use my 
engine's "modular exponentiation" function, without having to rewrite the 
RSA_[public|private]_[encrypt|decrypt] family of functions from 
/include/openssl/rsa.h?
  2.  If so, does it suffice to only implement the rsa_mod_exp function? Or 
must I implement both public_enc/dec and private_enc/dec functions as well? I 
ask, because the source code for the old Intel RSAX engine 
(https://gist.github.com/bigbrett/91903f773f9d150b7329c7d462cd220a) does this, 
but I can't figure out how and when in the "RSA flow" the engine's function 
gets invoked.
  3.  In  /include/openssl/rsa.h, I saw the following macro for the RSA_METHOD 
flag field (line 55):

/*
 * This flag means the private key operations will be handled by rsa_mod_exp
 * and that they do not depend on the private key components being present:
 * for example a key stored in external hardware. Without this flag
 * bn_mod_exp gets called when private key components are absent.
 */
# define RSA_FLAG_EXT_PKEY   0x0020


Does this mean that if I use this flag in the "flags" field of RSA_METHOD, that 
I DO NOT need to implement rsa_pub_enc/dec and friends? I guess I'm just 
confused as to at what point in the RSA encryption/decryption process my engine 

Re: [openssl-users] Understanding RSA_sign and type argument

[Ignacio Alamo Corsino]

Hello Erwann,


Merci beaucoup!

It has worked but with "-sigalgs RSA+SHA256" instead of "sigalgs SHA256+RSA"


Finding this option was driving me crazy because I could not find it in the 
wiki page of s_server:

https://wiki.openssl.org/index.php/Manual:S_server(1)

Manual:S server(1) - 
OpenSSLWiki<https://wiki.openssl.org/index.php/Manual:S_server(1)>
wiki.openssl.org
NAME. s_server - SSL/TLS server program SYNOPSIS. openssl s_server [-accept 
port] [-naccept count] [-context id] [-verify depth] [-Verify depth] 
[-crl_check] [-crl ...





De: openssl-users <openssl-users-boun...@openssl.org> en nombre de Erwann 
Abalea <erwann.aba...@docusign.com>
Enviado: lunes, 12 de junio de 2017 10:42
Para: openssl-users@openssl.org
Asunto: Re: [openssl-users] Understanding RSA_sign and type argument

Bonjour,

Add « -sigalgs SHA256+RSA » to one of your command lines.

Cordialement,
Erwann Abalea

Le 9 juin 2017 à 09:45, Ignacio Alamo Corsino 
<nacao2...@hotmail.com<mailto:nacao2...@hotmail.com>> a écrit :

Hello everyone,

i am having some issues understanding the RSA_sign function:

RSA_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char 
*sigret, unsigned int *siglen, RSA *rsa);

As far as I know, the signing is a four step process:
- Calculate hash with digest algorithm  (given as argument to this 
function -> m)
- Encapsulate hash in a DigestInfo structure (X509_SIG)
- Structure padding (in RSA_private_encrypt)
- Private key operation on this padded structure (in RSA_private_encrypt)

Is that correct?

So, during the TLS handshake, the RSA_sign function is called in the 
CertificateVerify step.
For my tests, everytime this function is called, the hashing type is SHA512 
even though I specify to use a SHA256 hash.

These are the commands that I use to test TLS:

#openssl s_server -accept 443 -cert cert.pem -key key.pem  -Verify 1 -msg 
-debug -cipher eNULL:aRSA:!SHA512:SHA256 -serverpref
#openssl s_client -connect localhost:443 -cert client_cert.pem   -key 
client.key -state -cipher eNULL:aRSA:!SHA512:SHA256

How can I force TLS to use a SHA256 digest for DH?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Understanding RSA_sign and type argument

[Ignacio Alamo Corsino]

Hello everyone,


i am having some issues understanding the RSA_sign function:

RSA_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char 
*sigret, unsigned int *siglen, RSA *rsa);


As far as I know, the signing is a four step process:

- Calculate hash with digest algorithm  (given as argument to this 
function -> m)

- Encapsulate hash in a DigestInfo structure (X509_SIG)

- Structure padding (in RSA_private_encrypt)

- Private key operation on this padded structure (in RSA_private_encrypt)


Is that correct?


So, during the TLS handshake, the RSA_sign function is called in the 
CertificateVerify step.

For my tests, everytime this function is called, the hashing type is SHA512 
even though I specify to use a SHA256 hash.

These are the commands that I use to test TLS:

#openssl s_server -accept 443 -cert cert.pem -key key.pem  -Verify 1 -msg 
-debug -cipher eNULL:aRSA:!SHA512:SHA256 -serverpref
#openssl s_client -connect localhost:443 -cert client_cert.pem   -key 
client.key -state -cipher eNULL:aRSA:!SHA512:SHA256

How can I force TLS to use a SHA256 digest for DH?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users