On 2004.11.07 at 17:55:56 +0100, Dr. Stephen Henson wrote: > On Wed, Nov 03, 2004, Victor B. Wagner wrote: > > > > > We think that these minimal changes would allow us to add new public > > key cryptography algorithms into OpenSSL without further modifications > > of the OpenSSL core except the obvious addition of new OIDs into > > objects.txt and the call to an engine initialization routine if the > > implemented engine is compiled statically. > > > > You wouldn't even need that. You could add oids via OBJ_create() and > dynamically use the appropriate NID.
Thanks! I haven't find this in the docs. We obvoisly would use this approach in our engine. > An interesting proposal. There are quite a few extra cases however which need > to be handled which complicates any required structure. > > For example the algorithm itself is represented as an ASN1 AlgorithmIdentifier > in a number of places whose paramaters are algorithm specific other than just > the subjectPublicKeyInfo structure in a certificate or request. I've not encountered more such places. Probably we just haven't dig deep enough yet. I think that these issues could be handled along the same lines as other, we've already mentioned - find out some fragment of ASN1 tree which is reused, and provide algorithm-specific functions to parse/serialize it. > For display purposes the public key should be printable so that (for example) > X509_print_ex() displays it properly. > > One of the thornier issues is how you handle multiple implementations of the > same algorithm. This works at present with the existing algorithms because the > represented structures are defined in OpenSSL core code and are consistent. In > general this wont be the case. What do you mean under "multiple implementations of same algorithm" I see two cases where such thing arises: 1. There are independendly standartized versions of same algorithm. I.e. there I know at least two (incompatible) versions of GOST 94 digital signature. They have different OID. If we'll treat them as completely independent algorithms, the only thing we waste is a bit of computational code which implements them. If they are provided by different engine - there is independent implementations which have their own (fuctionally equivalent) implementations. If they are provided by same engine, it is up to engine author to optimize usage of code. As long, as all the implementations conforms to the interface, nothing wrong with it. 2. There are two independent eigines which implements same algorithm with same OID. Only one of them can be used in the one application at given time anyway. So it doesn't matter how it uses algorithm specific structures as long as it serializes them properly. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
