Re: extern private key, smart cards, RSA_METHOD_FLAG_NO_CHECK

Sun, 27 Feb 2000 16:17:33 -0800 

Reddie, Steven wrote:
> 
> I create my own RSA_METHOD structure which contains pointers to my RSA
> public/private encrypt/decrypt functions.  It also contains a flags member
> which is where I set RSA_METHOD_FLAG_NO_CHECK.  I have the private key
> stored on the Hardware Security Module (HSM) and the certificate is
> available to the application.  I use the Subject of the certificate to find
> the private key with a matching Subject on the HSM.  When loading a key from
> the HSM (ie. getting it's handle for later use) I call RSA_new_method and
> pass in a pointer to my RSA_METHOD structure.  RSA_new_method copies the
> flags from RSA_METHOD into the new RSA structure (key).  Another important
> thing that I do is get the public modulus from the HSM key, convert it into
> a BIGNUM using BN_bin2bn and then store it in RSA->n.  This is needed by
> OpenSSL crypto code when determining the key length.  The _hack_ that I use
> to associate the RSA key with the HSM key handle is to store the HSM key
> handle in RSA->p (the private modulus).  Since my public/private
> encrypt/decrypt functions are called for operations on this RSA key (via my
> RSA_METHOD structure) my code knows what RSA->p really means and everything
> is happy.
> 

The "approved" way to handle things is to add application specific data
to the RSA's CRYPTO_EX_DATA structure and have the RSA_METHOD use that
to find handle details.

Unfortunately the ex_data functions had no documentation other than the
source until fairly recently. They are now in the development release
and will be in 0.9.5.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to