15.11.2010 19:55, Dr. Stephen Henson пишет:
On Mon, Nov 15, 2010, Valery Blazhnov wrote:
I need an advice on usind EVP_SignFinal function with two private key
objects stored on two different tokens. I can use two PKCS11 engine
instances to access these objects in low-level functions. But EVP_SignFinal
implementation uses EVP_PKEY_CTX_new(pkey, NULL) call internally to create
internal signing context with NULL engine. Then int_ctx_new function finds
an engine by NID:
e = ENGINE_get_pkey_meth_engine(id);
and users first found engine instance. As a result only first token can be
used for signing.
How can I specify right engine instance for signing context without OpenSSL
source code modifications?
If the EVP_PKEY structure is set up correctly it should use the appropriate
ENGINE contained within it. This will most likely end up being routed through
the default EVP_PKEY implementation (as very few new EVP_PKEY implementations
currently exist) and through the lower level RSA_METHOD (etc) structure and
then through the ENGINE responsible for the private key.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Even if EVP_PKEY structure contains correct pointer to corresponding
engine instance then int_ctx_new function ignores it and finds an engine
by NID. Unfortunately there is no "if (pkey->engine) { e = pkey->engine;
... }" branch inside int_ctx_new function. Would'nt you like to add it
there?
Valery Blazhnov
LISSI ltd.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
