Hi Team,
I have a few queries related to the Provider concept in OpenSSL 3.1.x version
As openssl version is coming up with Provider implementation and engine API are deprecated. Below are the queries.
1. Is it possible to still use Engine API and will it work with OpenSSL 3.1.x?
2. If not can someone help in replacing the engine with provider implementation with some basic example or minimum set of implementation?
I am working on this on Linux (Openbmc environment ) which is then open source to the community. As OpenSSL provides command line support in Linux for testing different speed tests using hardware engines, similarly is there any such command line utility or commands for provider?
Also like in Engine, we change openssl.conf file for invoking the engine at runtime. Do we need to change the configuration file for the provider as well to load at runtime?
Our project is at a very scratch level and we starting with OpenSSL 3.1.x so need to understand provider implementation. Any pointer or input will be highly helpful to us.
Regards,
Kamal Joshi
On Fri, Sep 22, 2023 at 5:30 PM <openssl-users-request@xxxxxxxxxxx> wrote:
Send openssl-users mailing list submissions to
openssl-users@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-request@xxxxxxxxxxx
You can reach the person managing the list at
openssl-users-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. Re: pkey public key extraction (David von Oheimb)
----------------------------------------------------------------------
Message: 1
Date: Fri, 22 Sep 2023 07:44:01 +0200
From: David von Oheimb <it@xxxxxxxxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: Re: pkey public key extraction
Message-ID: <52984fec-bb5a-11ad-49ab-6d77dece9dea@xxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Thanks Viktor for the very good comments below.
Here is a more general side remark on a side info by Stephen Doody:
> For info we're running openssl version 1.0.2k-fips on Centos 7 in an AWS EC2 instance.
OpenSSL 1.0.2 is heavily outdated.
Meanwhile, using anything below 3.0 is discouraged and imposes more or
less security risks.
A further motivation for upgrading to a recent OpenSSL version is that
the OpenSSL apps like x509
meanwhile have a significantly improved documentation and offer extended
options for advanced use.
??? David
On 20.09.23 20:08, Viktor Dukhovni wrote:
> On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:
>
>> I'm hoping someone can point me in the right direction.
> Perhaps walk you there step by step...
>
>> We have a pem file that a colleague believes contains a private and a public key.
> More likely, a private key and a (public key) X.509 certificate (a
> certificate is basically a public key enclosed in a singed name binding
> attestation).
>
>> They want to extract the public key from the file and deploy that, so
>> a 3rd party service can access our system.
> Typically, the 3rd party would want your certificate, though some are
> sophisticated enough to directly use a "bare" public key. The
> distinction is important, so you need to check *precisely* what they're
> looking for.
>
>> The command they suggested was:
>> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
> This extracts a bare public key from the first private key in the PEM
> file.
>
>> The pubkey.pem file that is created only contains the public key and
>> nothing else, so the 3rd party service can no longer connect to our
>> system as it doesn't recognise this as a valid certificate and
>> complained that it was not trusted.
> This makes no sense, because if they wanted a public key, they got one.
> If they wanted a certificate, they should have asked for that, and not
> given you incorrect instructions for getting just the key. It seems
> they need as much hand-holding as you do. :-(
>
>> I've read through the man pages for pkey and x509 and I've also tried
>> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
> This extracts two PEM objects, the "bare" public key *and* the
> certificate (because you didn't also specify "-noout").
>
> And apparently, it was the certificate they were looking for after all.
>
>> The 3rd party service can now connect to our system but viewing the
>> details of the pubkey2.pem file it looks identical to the original
>> ourcert.pem file.
> Almost identical, it wouldn't have your private key.
>
>> Is pkey or x509 the right way to do this?
> Apparently "x509", and you don't need the "-pubout" option, that's not
> what they meant to ask you for.
>
>> If it is pkey, how do I extract the public key so that it generates a
>> valid certificate?
> This makes no sense. A public key is not a certificate, and does not
> contain one. It is the other way around.
>
> --
> Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230922/907bb401/attachment-0001.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
openssl-users mailing list
openssl-users@xxxxxxxxxxx
https://mta.openssl.org/mailman/listinfo/openssl-users
------------------------------
End of openssl-users Digest, Vol 106, Issue 24
**********************************************
