Dear Francesco,
On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto <ceztko@xxxxxxxxx> wrote:
Hello,
I'm trying to create a CMS context for subsequent export using
CMS_sign(). I add a signer using CMS_add1_signer() that allows me to
specify a X509 certificate and a hash function. I would like the CMS
context to perform hash computation and ANS1 structure filling, but I
want to delegate encryption to an external service, for example an
hardware encryption token (I'm assuming this is a very common use
case). At this point I'm in a stalemate since CMS_add1_signer() asks
me for a private EVP_PKEY that is compatible with the public key
present in the X509 certificate. No other function seems to exist to
create a CMS_SignerInfo by providing an external mechanism for
encryption.
My hacky solution was to add a signer CMS_add1_signer() supplying the
public key stored in the X509 certificate in the place of the private
one. This passes internal checks of the function and allows me to
subsequently handle (manually) all the ANS1 structure filling and hash
computations. This is barely doable with public openssl API and still
requires a big rip-off of private openssl code (attached as a
standalone C++ class, if it can be useful for someone).
My question is: is there an easier mechanism to plug a separate
encryption method when creating the CMS_SignerInfo structure and have
openssl do all the other dirty work for me? If so, is it possible to
do with openssl 1.1.0/1.1.1?
Engines allow operating by private keys in such a manner.
You have to reimplement all the callbacks dealing with private keys. Also, it's possible you have to write some wrappers for the functions dealing with public keys.
For 3.0, the providers should do the same trick, I think.
SY, Dmitry Belyavsky
