Re: [openssl-users] engine interface for genrsa

2018-04-13 Thread William Roberts 
On Fri, Apr 13, 2018 at 2:55 PM, Richard Levitte  wrote:
> In message 
>  on Fri, 
> 13 Apr 2018 09:17:28 -0700, William Roberts  said:
>
> bill.c.roberts> I am currently working on writing an openssl engine
> bill.c.roberts> to interface with a piece of hardware.
> bill.c.roberts>
> bill.c.roberts> I am trying to understand how to implement
> bill.c.roberts> rsa key generation, where the private key
> bill.c.roberts> bytes would not be available.
> bill.c.roberts>
> bill.c.roberts> I am currently invoking the
> bill.c.roberts> command:
> bill.c.roberts>
> bill.c.roberts> openssl genrsa -engine foo
> bill.c.roberts>
> bill.c.roberts> Which is calling my callback for RSA keygen, registered via 
> ENGINE_set_RSA()
> bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY.
> bill.c.roberts>
> bill.c.roberts> However, genrsa app seems to want rsa->e set here:
> bill.c.roberts> 
> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291
> bill.c.roberts>
> bill.c.roberts> I can't find documentation on how to handle the keygen 
> interface
> bill.c.roberts> for RSA.
> bill.c.roberts>
> bill.c.roberts> Can someone point me in the right direction?
>
> e and n are public components of any RSA key pair (and RSA structure
> in OpenSSL).  You *must* make them available.  The rest of the numbers
> are private and do not need to be part of the RSA structure that
> OpenSSL handles.

Thanks. I went and read the RSA page on Wikipedia, and sure enough it
has what common meanings of what all the single letter variables
are in the RSA struct.
https://en.wikipedia.org/wiki/RSA_(cryptosystem)

>
> Cheers,
> Richard
>
> --
> Richard Levitte levi...@openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?

2018-04-13 Thread Salz, Rich via openssl-users 
OpenSSL 1.1.0 *does not* go through the locking callbacks.  They will never be 
called.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] engine interface for genrsa

2018-04-13 Thread Richard Levitte 
In message  
on Fri, 13 Apr 2018 09:17:28 -0700, William Roberts  
said:

bill.c.roberts> I am currently working on writing an openssl engine
bill.c.roberts> to interface with a piece of hardware.
bill.c.roberts> 
bill.c.roberts> I am trying to understand how to implement
bill.c.roberts> rsa key generation, where the private key
bill.c.roberts> bytes would not be available.
bill.c.roberts> 
bill.c.roberts> I am currently invoking the
bill.c.roberts> command:
bill.c.roberts> 
bill.c.roberts> openssl genrsa -engine foo
bill.c.roberts> 
bill.c.roberts> Which is calling my callback for RSA keygen, registered via 
ENGINE_set_RSA()
bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY.
bill.c.roberts> 
bill.c.roberts> However, genrsa app seems to want rsa->e set here:
bill.c.roberts> 
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291
bill.c.roberts> 
bill.c.roberts> I can't find documentation on how to handle the keygen interface
bill.c.roberts> for RSA.
bill.c.roberts> 
bill.c.roberts> Can someone point me in the right direction?

e and n are public components of any RSA key pair (and RSA structure
in OpenSSL).  You *must* make them available.  The rest of the numbers
are private and do not need to be part of the RSA structure that
OpenSSL handles.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?

2018-04-13 Thread Charles Mills 
 Not to disagree of course,  but you can always put printf's in your callbacks 
to confirm. 



CharlesSent from a mobile; please excuse the brevity.
 Original message From: "Salz, Rich via openssl-users" 
 Date: 4/13/18  3:22 PM  (GMT-05:00) To: 
openssl-users@openssl.org Subject: Re: [openssl-users] Should I stop using 
locking callbacks in OpenSSL 1.1.0x ? 


 


Does this mean I can safely remove all usages of the above functions from my 
application code? I'd appreciate if someone could explain
 the above comment in a little more detail or confirm what I'm saying. Or has 
anyone else been in the same situation?


 
Yes.  Do not use the locking callbacks.  OpenSSL uses system-native threads and 
locks now.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?

2018-04-13 Thread Salz, Rich via openssl-users 


  *   Does this mean I can safely remove all usages of the above functions from 
my application code? I'd appreciate if someone could explain the above comment 
in a little more detail or confirm what I'm saying. Or has anyone else been in 
the same situation?

Yes.  Do not use the locking callbacks.  OpenSSL uses system-native threads and 
locks now.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?

2018-04-13 Thread pratyush parimal 
Hi all,

I'm trying to migrate some application code from OpenSSL 1.0.1e to 1.1.0g.
I keep seeing that the locking and threading callbacks I had used earlier
(with CRYPTO_set_locking_callback and CRYPTO_set_id_callback respectively)
now show up as "unused" during compilation.

I checked https://www.openssl.org/blog/blog/2017/02/21/threads/ and it
seems like OpenSSL is trying to ditch callbacks and use more native
facilities. In 1.1.0g's crypto.h, CRYPTO_set_locking_callback is defined as
a no-op, with the following comment:

/*
 * The old locking functions have been removed completely without
compatibility
 * macros. This is because the old functions either could not properly
report
 * errors, or the returned error values were not clearly documented.
 * Replacing the locking functions with with no-ops would cause race
condition
 * issues in the affected applications. It is far better for them to fail at
 * compile time.
 * On the other hand, the locking callbacks are no longer used.
Consequently,
 * the callback management functions can be safely replaced with no-op
macros.
 */

Does this mean I can safely remove all usages of the above functions from
my application code? I'd appreciate if someone could explain the above
comment in a little more detail or confirm what I'm saying. Or has anyone
else been in the same situation?

Thanks,
Pratyush
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] engine interface for genrsa

2018-04-13 Thread William Roberts 
I am currently working on writing an openssl engine
to interface with a piece of hardware.

I am trying to understand how to implement
rsa key generation, where the private key
bytes would not be available.

I am currently invoking the
command:

openssl genrsa -engine foo

Which is calling my callback for RSA keygen, registered via ENGINE_set_RSA()
and I set the flags: RSA_FLAG_EXT_PKEY.

However, genrsa app seems to want rsa->e set here:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291

I can't find documentation on how to handle the keygen interface
for RSA.

Can someone point me in the right direction?

Thanks,
Bill
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users