Re: Dynamically Adding a New PubKey Method - how to link OID <-> pkey_id ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Dr.Pala,

You can take a look at 

https://github.com/gost-engine/engine/blob/master/gost_eng.c

and use OBJ_create (https://www.openssl.org/docs/man3.0/man3/OBJ_create.html) to register new NIDs.
If you want just PKI/CMS, it would be enough.

I should notice that ENGINE interface is deprecated so for OpenSSL 3.0 you'd better implement a provider for your purposes.

On Tue, Aug 30, 2022 at 6:58 PM Dr. Pala <director@xxxxxxxxxx> wrote:

Dear OpenSSL,

I have a question for the community. Specifically, I am changing the implementation that we are working on for Composite Crypto from directly patching the OpenSSL library with a new method, we want to add it dynamically - this makes it easier to use Composite Crypto with existing OpenSSL deployments.

One very discouraging thing when you do that is that with all the masking of data structures, it becomes quite difficult to work on low-level implementations and it might require including some definitions of data structures.

Besides this side-notes, the issue we are facing is related to how to link the OID for the public key algorithm with the NID for the dynamically added one. Let me explain with some code.

When our LibPKI starts up, it initializes the crypto layer and adds the Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD:

// We Need to initialize the ASN1 conversion method
if (!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return 0;
// We also Need to initialize the PKEY method for the algorithm
if (!EVP_PKEY_meth_add0(&combined_pkey_meth)) return 0;

However, as part of the two structures, the pkey NID is already defined in the structure (pkey_id). This was all working fine because the pkey_id was the NID_composite that was originally generated via the objects tools (i.e., you can use the two functions OBJ_nid2obj() and OBJ_obj2nid() with the NID_composite value), however... I cannot find how to do this with the static version.

I tried to create the object with the OBJ_create() first and then assign it to the relevant fields of the methods:

// Let's create the Initial OID for Composite Crypto
NID_composite = OBJ_create("1.3.6.1.4.1.18277.2.1", "composite", "pk-Composite");
if (NID_composite == NID_undef) return 0;
// // Assigns the generated IDs
composite_asn1_meth.pkey_id = NID_composite;
composite_asn1_meth.pkey_base_id = NID_composite;
composite_pkey_meth.pkey_id = NID_composite;

right before adding the method(s) to the library with the EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0(). This seems a bit clunky to me and I am facing some weird memory issue when I assign the pkey_id on the pkey meth (but that can simply be an issue with a pointer somehow... ).

I was wondering if there is a better approach.

Specifically, I was thinking about generating the methods data structures with the dynamic allocation (EVP_PKEY_meth_new) and then assigning the different callbacks instead of using the _add0() functions ... however also that approach requires us, if I am not mistaken, to generate the OIDs first, retrieve the ID from it, and then use the EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new methods. This second approach requires a bit more code to do all the assigning (instead of just assigning the structure once) but it helps with not requiring exporting the internals of the method(s) structure itself.

Is there a better way to provide the algorithm?

The last path that I was thinking was to provide an ENGINE implementation, but that seemed a bit more complicated (probably mostly because I have never had to implement the interface...).

Thank you for your help and have a wonderful day!

Cheers,
Max

--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo


--
SY, Dmitry Belyavsky

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux