[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Question on porting custom ENGINE to provider (OpenSSL v3.0.10)
From:       Timo Herbrecher <t.herbrecher () gateware ! de>
Date:       2023-11-20 11:12:03
Message-ID: 3d7d4cb0-ba7c-45d8-bd2e-a2813c075ff5 () gateware ! de
[Download RAW message or body]

> There must be some things done in your provider and in the application
> (or OpenSSL configuration) to make this work seamlessly.
> 
> 1. The provider must properly fail attempts to export the private key.
> I.e., it must never export a public key when it is asked to export a
> full keypair.

That is already implemented in the provider. If 
OSSL_KEYMGMT_SELECT_PRIVATE_KEY-bit is set in the selection_mask the 
provider export function returns 0.

> 2. The default property query must deprioritize your provider.
> I.e., "?provider!=yourprovider"

That did the trick. If I specify the statement as mentioned in the 
SSL_CTX_new_ex() function as propq argument the TLS connection is 
established and the signature is generated from the key stored in my 
secure element.
But it did not work if I set it in my default query with 
EVP_set_default_properties().

> 3. When your application wants to use the key from your provider it
> needs to load it via a store uri.

That was also already implemented.

> With this above everything should work correctly.

Thank you very much for pointing my in the right direction.

Best regards,
Timo
[prev in list] [next in list] [prev in thread] [next in thread]