Dr S N Henson wrote:
>
> Ben Laurie wrote:
> >
> > The alert will have noticed the work I've been doing on EVP_CIPHER and
> > EVP_MD stuff to allow them to be extended without having to patch
> > OpenSSL, as well as to improve the modularity of OpenSSL - I looked
> > today at doing the same for EVP_PKEY. But I was left wondering whether
> > it was actually a good idea. Is there any motivation for extending
> > EVP_PKEY?
> >
>
> Yes. In an ideal situation you might just load (say) an EC-DSA module
> and OpenSSL would automatically support EC-DSA certificates and keys and
> be able to do some things (like S/MIME with them). In practice
> that's not easy...
OK. I presume there's a host of other similar examples, not to mention
future inventions...
> > Note that part of my hesitation was that it turned out to be a pretty
> > big job - OTOH, it would tidy up an awful lot of if(pkey->type ==
> > EVP_PKEY_RSA) style stuff...
> >
>
> Well "sodding enormous job" might describe it better. Part of the
> problem is that the existing algorithms (DSA, RSA and DH) have very
> different properties. You also have to rope in ASN1 because much of the
> key specific stuff is ASN1 related. You also have to invent several new
> APIs or break existing ones. EVP_PKEY only really has one crypto routine
> AFAICS: EVP_PKEY_{en,de}crypt() and that's just a wrapper round the RSA
> stuff. However even that would need some way to pass in the padding
> technique which doesn't currently have a parameter.
It may only have one crypto routine, but it has a whole mess of other
stuff, which is currently variously handled by a bunch of messy routines
in p_lib.c and all sorts of hacks all over the code.
Adding padding would only slightly increase the mess :-)
I guess that making it work "properly" would probably help to clarify
what further work needs to be done. I'll go away and think about that...
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
