16.11.2010 14:45, Dr. Stephen Henson пишет:
On Tue, Nov 16, 2010, Valery Blazhnov wrote:
15.11.2010 19:55, Dr. Stephen Henson ??????????:
On Mon, Nov 15, 2010, Valery Blazhnov wrote:
I need an advice on usind EVP_SignFinal function with two private key
objects stored on two different tokens. I can use two PKCS11 engine
instances to access these objects in low-level functions. But
EVP_SignFinal
implementation uses EVP_PKEY_CTX_new(pkey, NULL) call internally to
create
internal signing context with NULL engine. Then int_ctx_new function
finds
an engine by NID:
e = ENGINE_get_pkey_meth_engine(id);
and users first found engine instance. As a result only first token can
be
used for signing.
How can I specify right engine instance for signing context without
OpenSSL
source code modifications?
If the EVP_PKEY structure is set up correctly it should use the
appropriate
ENGINE contained within it. This will most likely end up being routed
through
the default EVP_PKEY implementation (as very few new EVP_PKEY
implementations
currently exist) and through the lower level RSA_METHOD (etc) structure
and
then through the ENGINE responsible for the private key.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Even if EVP_PKEY structure contains correct pointer to corresponding engine
instance then int_ctx_new function ignores it and finds an engine by NID.
Unfortunately there is no "if (pkey->engine) { e = pkey->engine; ... }"
branch inside int_ctx_new function. Would'nt you like to add it there?
Ah that's a bug which I'll fix. However there can't be many (any?) PKCS#11
ENGINEs that implement their own EVP_PKEY_METHOD, they will (almost?) always
have their own RSA_METHOD, DSA_METHOD etc which will get routed to the correct
ENGINE through the lower level APIs.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
I would like to give some additional information to make the question
more clear. I use single PKCS#11 engine program but I create separate
engine instance for every token and register that instance with its own
id. As a result I have several functionally similar engine instances
connected to different data devices. So I should guarantee that PKI
functions use right target engine to access token key objects. Thank you
for your help :)
--
Валерий Блажнов
Ведущий научный сотрудник
ООО "ЛИССИ"
тел. +7(495) 513-33-18 доб.108
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
