Re: [openssl-users] engine interface for genrsa
On Fri, Apr 13, 2018 at 2:55 PM, Richard Levittewrote: > In message > on Fri, > 13 Apr 2018 09:17:28 -0700, William Roberts said: > > bill.c.roberts> I am currently working on writing an openssl engine > bill.c.roberts> to interface with a piece of hardware. > bill.c.roberts> > bill.c.roberts> I am trying to understand how to implement > bill.c.roberts> rsa key generation, where the private key > bill.c.roberts> bytes would not be available. > bill.c.roberts> > bill.c.roberts> I am currently invoking the > bill.c.roberts> command: > bill.c.roberts> > bill.c.roberts> openssl genrsa -engine foo > bill.c.roberts> > bill.c.roberts> Which is calling my callback for RSA keygen, registered via > ENGINE_set_RSA() > bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY. > bill.c.roberts> > bill.c.roberts> However, genrsa app seems to want rsa->e set here: > bill.c.roberts> > https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291 > bill.c.roberts> > bill.c.roberts> I can't find documentation on how to handle the keygen > interface > bill.c.roberts> for RSA. > bill.c.roberts> > bill.c.roberts> Can someone point me in the right direction? > > e and n are public components of any RSA key pair (and RSA structure > in OpenSSL). You *must* make them available. The rest of the numbers > are private and do not need to be part of the RSA structure that > OpenSSL handles. Thanks. I went and read the RSA page on Wikipedia, and sure enough it has what common meanings of what all the single letter variables are in the RSA struct. https://en.wikipedia.org/wiki/RSA_(cryptosystem) > > Cheers, > Richard > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?
OpenSSL 1.1.0 *does not* go through the locking callbacks. They will never be called. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] engine interface for genrsa
In messageon Fri, 13 Apr 2018 09:17:28 -0700, William Roberts said: bill.c.roberts> I am currently working on writing an openssl engine bill.c.roberts> to interface with a piece of hardware. bill.c.roberts> bill.c.roberts> I am trying to understand how to implement bill.c.roberts> rsa key generation, where the private key bill.c.roberts> bytes would not be available. bill.c.roberts> bill.c.roberts> I am currently invoking the bill.c.roberts> command: bill.c.roberts> bill.c.roberts> openssl genrsa -engine foo bill.c.roberts> bill.c.roberts> Which is calling my callback for RSA keygen, registered via ENGINE_set_RSA() bill.c.roberts> and I set the flags: RSA_FLAG_EXT_PKEY. bill.c.roberts> bill.c.roberts> However, genrsa app seems to want rsa->e set here: bill.c.roberts> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291 bill.c.roberts> bill.c.roberts> I can't find documentation on how to handle the keygen interface bill.c.roberts> for RSA. bill.c.roberts> bill.c.roberts> Can someone point me in the right direction? e and n are public components of any RSA key pair (and RSA structure in OpenSSL). You *must* make them available. The rest of the numbers are private and do not need to be part of the RSA structure that OpenSSL handles. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?
Not to disagree of course, but you can always put printf's in your callbacks to confirm. CharlesSent from a mobile; please excuse the brevity. Original message From: "Salz, Rich via openssl-users"Date: 4/13/18 3:22 PM (GMT-05:00) To: openssl-users@openssl.org Subject: Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ? Does this mean I can safely remove all usages of the above functions from my application code? I'd appreciate if someone could explain the above comment in a little more detail or confirm what I'm saying. Or has anyone else been in the same situation? Yes. Do not use the locking callbacks. OpenSSL uses system-native threads and locks now. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?
* Does this mean I can safely remove all usages of the above functions from my application code? I'd appreciate if someone could explain the above comment in a little more detail or confirm what I'm saying. Or has anyone else been in the same situation? Yes. Do not use the locking callbacks. OpenSSL uses system-native threads and locks now. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Should I stop using locking callbacks in OpenSSL 1.1.0x ?
Hi all, I'm trying to migrate some application code from OpenSSL 1.0.1e to 1.1.0g. I keep seeing that the locking and threading callbacks I had used earlier (with CRYPTO_set_locking_callback and CRYPTO_set_id_callback respectively) now show up as "unused" during compilation. I checked https://www.openssl.org/blog/blog/2017/02/21/threads/ and it seems like OpenSSL is trying to ditch callbacks and use more native facilities. In 1.1.0g's crypto.h, CRYPTO_set_locking_callback is defined as a no-op, with the following comment: /* * The old locking functions have been removed completely without compatibility * macros. This is because the old functions either could not properly report * errors, or the returned error values were not clearly documented. * Replacing the locking functions with with no-ops would cause race condition * issues in the affected applications. It is far better for them to fail at * compile time. * On the other hand, the locking callbacks are no longer used. Consequently, * the callback management functions can be safely replaced with no-op macros. */ Does this mean I can safely remove all usages of the above functions from my application code? I'd appreciate if someone could explain the above comment in a little more detail or confirm what I'm saying. Or has anyone else been in the same situation? Thanks, Pratyush -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] engine interface for genrsa
I am currently working on writing an openssl engine to interface with a piece of hardware. I am trying to understand how to implement rsa key generation, where the private key bytes would not be available. I am currently invoking the command: openssl genrsa -engine foo Which is calling my callback for RSA keygen, registered via ENGINE_set_RSA() and I set the flags: RSA_FLAG_EXT_PKEY. However, genrsa app seems to want rsa->e set here: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2g/apps/genrsa.c#L291 I can't find documentation on how to handle the keygen interface for RSA. Can someone point me in the right direction? Thanks, Bill -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users