Dear OpenSSL,
I have a question for the community. Specifically, I am changing
the implementation that we are working on for Composite Crypto
from directly patching the OpenSSL library with a new method, we
want to add it dynamically - this makes it easier to use Composite
Crypto with existing OpenSSL deployments.
One very discouraging thing when you do that is that with all the
masking of data structures, it becomes quite difficult to work on
low-level implementations and it might require including some
definitions of data structures.
Besides this side-notes, the issue we are facing is related to
how to link the OID for the public key algorithm with the NID for
the dynamically added one. Let me explain with some code.
When our LibPKI starts up, it initializes the crypto layer and
adds the Composite method by using the EVP_PKEY_ASN1_METHOD and
EVP_PKEY_METHOD:
// We Need to initialize the ASN1 conversion method
if (!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return 0;
// We also Need to initialize the PKEY method for the algorithm
if (!EVP_PKEY_meth_add0(&combined_pkey_meth)) return 0;
However, as part of the two structures,
the pkey NID is already defined in the structure (pkey_id). This
was all working fine because the pkey_id was the NID_composite
that was originally generated via the objects tools (i.e., you can
use the two functions OBJ_nid2obj() and OBJ_obj2nid() with the
NID_composite value), however... I cannot find how to do this with
the static version.
I tried to create the object with the OBJ_create() first and then
assign it to the relevant fields of the methods:
// Let's create the Initial OID for Composite Crypto
NID_composite = OBJ_create("1.3.6.1.4.1.18277.2.1", "composite", "pk-Composite");
if (NID_composite == NID_undef) return 0;
// // Assigns the generated IDs
composite_asn1_meth.pkey_id = NID_composite;
composite_asn1_meth.pkey_base_id = NID_composite;
composite_pkey_meth.pkey_id = NID_composite;
right before adding the method(s) to the
library with the EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0().
This seems a bit clunky to me and I am facing some weird memory
issue when I assign the pkey_id on the pkey meth (but that can
simply be an issue with a pointer somehow... ).
I was wondering if there is a better
approach.
Specifically, I was thinking about
generating the methods data structures with the dynamic allocation
(EVP_PKEY_meth_new) and then assigning the different callbacks
instead of using the _add0() functions ... however also that
approach requires us, if I am not mistaken, to generate the OIDs
first, retrieve the ID from it, and then use the
EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new
methods. This second approach requires a bit more code to do all
the assigning (instead of just assigning the structure once) but
it helps with not requiring exporting the internals of the
method(s) structure itself.
Is there a better way to provide the
algorithm?
The last path that I was thinking was to
provide an ENGINE implementation, but that seemed a bit more
complicated (probably mostly because I have never had to implement
the interface...).
Thank you for your help and have a wonderful day!
Cheers,
Max
--
Best Regards,
Massimiliano
Pala, Ph.D.
OpenCA Labs Director
