[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: Re: [openssl-users] confusion with rsa_meth_st in a custom RSA engine
From: Ignacio Alamo Corsino <nacao2001 () hotmail ! com>
Date: 2017-08-23 12:22:48
Message-ID: DB6PR0701MB243993DA5388FCDC490E214FAE850 () DB6PR0701MB2439 ! eurprd07 ! prod ! outlook ! com
[Download RAW message or body]
Hello Brett,
First, to your comment: "I'm just confused as to at what point in the RSA e=
ncryption/decryption process my engine should be invoked at":
It really depends on how your hardware performs the operations.
I mean, you are right, if you set RSA_FLAG_EXT_PKEY then you only have to =
rewrite rsa_mod_exp but you have to make sure that you are at the right spo=
t when your
hardware jumps in.
This is (more or less) the workflow for RSA signing:
(obtain digest) -> RSA_sign (makes pkcs1 encoding) -> RSA_private_encrypt (=
makes padding and blinding) -> rsa_mod_exp (with flag) or bn_mod_exp (witho=
ut)
Each step makes different operations before calling the next function. So i=
f your hardware takes care of the pkcs1 encoding and so on, then you should=
overwrite RSA_sign
(using the RSA_FLAG_SIGN_VER flag) but if you are sure that it only perform=
s the rsa_mod_exp operations then go ahead and rewrite it with your userspa=
ce API.
I found really helpful to read the OpenSSL default rsa_method to see how RS=
A works: /crypto/rsa/rsa_ossl.c
Sorry if I could not directly answer your question on which method you shou=
ld overwrite but I hope this info helps you to find out.
Regards,
Ignacio
________________________________
De: openssl-users <openssl-users-bounces@openssl.org> en nombre de Brett R.=
Nicholas <Brett.R.Nicholas.TH@dartmouth.edu>
Enviado: mi=E9rcoles, 23 de agosto de 2017 3:44
Para: openssl-users@openssl.org
Asunto: [openssl-users] confusion with rsa_meth_st in a custom RSA engine
I am trying to develop a engine for a custom RSA hardware accelerator, and =
have a few questions about the RSA_METHOD stucture implementation.
Some context: for encryption, my accelerator takes as inputs the base, publ=
ic exponent, and modulus, and returns the resulting ciphertext. For decrypt=
ion, it takes as inputs the base, and modulus. It does not need a private k=
ey, as this is stored in hardware, and can only be configured through an ou=
t-of-band channel. I already have a kernel module that exposes an API to us=
erspace programs to use the accelerator. Now I just need to integrate it in=
to openSSL.
I've already created a similar engine for AES and SHA256, however I'm strug=
gling with RSA. Ideally, I'd like to not have to worry about anything other=
than just performing the modular exponentiation on a pre-padded and prepar=
ed chunk of data. For SHA and AES, this is straightforward: all that was ta=
ken care of by the EVP interface, so all I needed to worry about was gettin=
g the data two and from my accelerators. But it doesn't appear to be as sim=
ple for RSA (pls correct me if I'm wrong).
I'm confused as to which RSA_METHOD function pointers that my engine needs =
to implement. I show the structure below for reference:
struct rsa_meth_st {
char *name;
int (*rsa_pub_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_pub_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)=
;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
/* ....stuff.... */
int flags;
/* .... stuff ... */
}; // TYPEDEF'ED TO RSA_METHOD in include/ossl_typ.h
So, three questions:
1. Is it possible for the standard OpenSSL RSA implementation to use my =
engine's "modular exponentiation" function, without having to rewrite the R=
SA_[public|private]_[encrypt|decrypt] family of functions from /include/ope=
nssl/rsa.h?
2. If so, does it suffice to only implement the rsa_mod_exp function? Or=
must I implement both public_enc/dec and private_enc/dec functions as well=
? I ask, because the source code for the old Intel RSAX engine (https://gis=
t.github.com/bigbrett/91903f773f9d150b7329c7d462cd220a) does this, but I ca=
n't figure out how and when in the "RSA flow" the engine's function gets in=
voked.
3. In /include/openssl/rsa.h, I saw the following macro for the RSA_MET=
HOD flag field (line 55):
/*
* This flag means the private key operations will be handled by rsa_mod_ex=
p
* and that they do not depend on the private key components being present:
* for example a key stored in external hardware. Without this flag
* bn_mod_exp gets called when private key components are absent.
*/
# define RSA_FLAG_EXT_PKEY 0x0020
Does this mean that if I use this flag in the "flags" field of RSA_METHOD, =
that I DO NOT need to implement rsa_pub_enc/dec and friends? I guess I'm ju=
st confused as to at what point in the RSA encryption/decryption process my=
engine should be invoked at.
FWIW I'm planning on releasing a comprehensive engine tutorial and some doc=
umentation for all this stuff once I finish (will already be written up in =
my thesis), so I want to make sure I get these details ironed out!
Any words of wisdom would be greatly appreciated.
Best,
Brett
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); \
font-family: Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols;" dir="ltr"> <p>Hello Brett,</p>
<p><br>
</p>
<p>First, to your comment: "<span>I'm just confused as to at what point in the \
RSA encryption/decryption process my engine should be invoked at</span>":</p> \
<p>It really depends on how your hardware performs the operations. <br> </p>
<p><br>
</p>
<p>I mean, you are right, if you set <span style="font-family:"Courier \
New",monospace; font-size:10pt"> RSA_FLAG_EXT_PKEY</span> <span> then you \
only have to rewrite <span>rsa_mod_exp but you have to make sure that you are at \
the right spot when your <br>
</span></span></p>
<p><span><span>hardware jumps in. <br>
</span></span></p>
<br>
This is (more or less) the workflow for RSA signing:<br>
<br>
(obtain digest) -> RSA_sign (makes pkcs1 encoding) -> <span \
class="pl-c1">RSA_private_encrypt</span> (makes padding and blinding) -> <span \
class="pl-c1">rsa_mod_exp</span> (<span class="pl-c1">with flag</span>) or <span \
class="pl-c1">bn_mod_exp</span> (without)<span class="pl-en"></span><br> <br>
Each step makes different operations before calling the next function. So if your \
hardware takes care of the pkcs1 encoding and so on, then you should overwrite \
RSA_sign<br> (using the <span>RSA_FLAG_SIGN_VER</span> flag) but if you are sure that \
it only performs the rsa_mod_exp operations then go ahead and rewrite it with your \
userspace API.<br> <br>
I found really helpful to read the OpenSSL default rsa_method to see how RSA works:
<span>/crypto/rsa/rsa_ossl.c</span><br>
<br>
Sorry if I could not directly answer your question on which method you should \
overwrite but I hope this info helps you to find out.<br> <br>
Regards,<br>
<br>
Ignacio<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" \
face="Calibri, sans-serif"><b>De:</b> openssl-users \
<openssl-users-bounces@openssl.org> en nombre de Brett R. Nicholas \
<Brett.R.Nicholas.TH@dartmouth.edu><br> <b>Enviado:</b> miércoles, 23 de agosto \
de 2017 3:44<br> <b>Para:</b> openssl-users@openssl.org<br>
<b>Asunto:</b> [openssl-users] confusion with rsa_meth_st in a custom RSA \
engine</font> <div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); \
font-family: Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,"EmojiFont","Apple \
Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols;"> <p>I am trying to develop a \
engine for a custom RSA hardware accelerator, and have a few questions about the \
RSA_METHOD stucture implementation. </p> <p><br>
</p>
<p><span>Some context: for encryption, my accelerator takes as inputs the base, \
public exponent, and modulus, and returns the resulting ciphertext. For decryption, \
it takes as inputs the base, and modulus. It does not need a private key, as this is \
stored in hardware, and can only be configured through an out-of-band channel. I \
already have a kernel module that exposes an API to userspace programs to use the \
accelerator. Now I just need to integrate it into openSSL.</span></p> <p><br>
</p>
<p><span>I've already created a similar engine for AES and SHA256, however I'm \
struggling with RSA. Ideally, I'd like to not have to worry about anything other than \
just performing the modular exponentiation on a pre-padded and prepared chunk of \
data. For SHA and AES, this is straightforward: all that was taken care of by the \
EVP interface, so all I needed to worry about was getting the data two and from my \
accelerators. But it doesn't appear to be as simple for RSA (pls correct me if I'm \
wrong).</span><br> </p>
<p><br>
</p>
<p>I'm confused as to which RSA_METHOD function pointers that my engine needs to \
implement. I show the structure below for reference:</p> <div><span \
style="font-family:"Courier New",monospace; font-size:10pt">struct \
rsa_meth_st {</span><br> <span style="font-family:"Courier New",monospace; \
font-size:10pt"> char *name;</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*rsa_pub_enc) (int flen, const unsigned char \
*from,</span><br> <span style="font-family:"Courier New",monospace; \
font-size:10pt"> \
unsigned char *to, RSA *rsa, int padding);</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*rsa_pub_dec) (int flen, const unsigned char \
*from,</span><br> <span style="font-family:"Courier New",monospace; \
font-size:10pt"> \
unsigned char *to, RSA *rsa, int padding);</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*rsa_priv_enc) (int flen, const unsigned char \
*from,</span><br> <span style="font-family:"Courier New",monospace; \
font-size:10pt"> \
unsigned char *to, RSA *rsa, int padding);</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*rsa_priv_dec) (int flen, const unsigned char \
*from,</span><br> <span style="font-family:"Courier New",monospace; \
font-size:10pt"> \
unsigned char *to, RSA *rsa, int padding);</span><br> <br>
<span style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, \
RSA *rsa, BN_CTX *ctx);</span><br> <br>
<span style="font-family:"Courier New",monospace; \
font-size:10pt"> int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, \
const BIGNUM *p,</span><br> <span style="font-family:"Courier \
New",monospace; \
font-size:10pt"> \
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> /* ....stuff.... */</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> int flags;</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> /* .... stuff ... */</span><br> <span \
style="font-family:"Courier New",monospace; font-size:10pt">}; // \
TYPEDEF'ED TO RSA_METHOD in include/ossl_typ.h</span></div> <p></p>
<p><br>
</p>
<p><b>So, three questions: <br>
</b></p>
<p><b><br>
</b></p>
<ol style="margin-bottom:0px; margin-top:0px">
<li><b>Is it possible for the standard OpenSSL RSA implementation to use my engine's \
"modular exponentiation" function, without having to rewrite the \
RSA_[public|private]_[encrypt|decrypt] family of functions from \
<span>/include/openssl/rsa.h</span>? <br> </b></li><li><b>If so, does it \
suffice to only implement the rsa_mod_exp function? </b>Or must I implement both \
public_enc/dec and private_enc/dec functions as well? I ask, because the source code \
for the old Intel RSAX engine (<a \
href="https://gist.github.com/bigbrett/91903f773f9d150b7329c7d462cd220a" \
class="OWAAutoLink" id="LPlnk486837" \
previewremoved="true">https://gist.github.com/bigbrett/91903f773f9d150b7329c7d462cd220a</a>)
does this, but I can't figure out how and when in the "RSA flow" the \
engine's function gets invoked.<b></b></li><li>In \
<span>/include/openssl/rsa.h</span>, I saw the following macro for the RSA_METHOD \
flag field (line 55): <br>
</li></ol>
<p></p>
<div><span style="font-family:"Courier New",monospace; \
font-size:10pt">/*</span><br> <span style="font-family:"Courier \
New",monospace; font-size:10pt"> * This flag means the private key \
operations will be handled by rsa_mod_exp</span><br> <span \
style="font-family:"Courier New",monospace; font-size:10pt"> * and \
that they do not depend on the private key components being present:</span><br> <span \
style="font-family:"Courier New",monospace; font-size:10pt"> * for \
example a key stored in external hardware. Without this flag</span><br> <span \
style="font-family:"Courier New",monospace; font-size:10pt"> * \
bn_mod_exp gets called when private key components are absent.</span><br> <span \
style="font-family:"Courier New",monospace; \
font-size:10pt"> */</span><br> <span style="font-family:"Courier \
New",monospace; font-size:10pt"># define \
RSA_FLAG_EXT_PKEY \
0x0020</span><br> <br>
</div>
<p><b>Does this mean that if I use this flag in the "flags" field of \
RSA_METHOD, that I DO NOT need to implement rsa_pub_enc/dec and friends? </b>I guess \
I'm just confused as to at what point in the RSA encryption/decryption process my \
engine should be invoked at. <br>
</p>
<br>
<p>FWIW I'm planning on releasing a comprehensive engine tutorial and some \
documentation for all this stuff once I finish (will already be written up in my \
thesis), so I want to make sure I get these details ironed out!<br> </p>
<p></p>
<div>
<p><br>
</p>
Any words of wisdom would be greatly appreciated. </div>
<br>
<p></p>
<p>Best,</p>
<p>Brett<br>
</p>
<br>
</div>
</div>
</div>
</div>
</body>
</html>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--===============8471434944737969918==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic