Steve, The project I'm working on is not an SSL solution. I just need to create keys and sign certificates and a few other cryptographic activities. I'm using the OpenSSL crypto library to create/manage certificates. My only remaining hurdle is to sign the certs using an elliptic curve key and the HSM. Your reply seems to indicate that I should be able to accomplish that using the EVP_PKEY API. I currently assign the elliptic curve key (EC_KEY)to an EVP_KEY using EVP_PKEY_new and EVP_PKEY_assign_EC_KEY. If I'm reading correctly, I might be able to do something like call EVP_PKEY_meth_set_sign and then call x509_sign with the EVP_PKEY. Could it be that easy?
Thanks, Dean -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Sunday, March 20, 2011 12:17 PM To: openssl-users@openssl.org Subject: Re: elicptic Curve Key Generation On Sat, Mar 19, 2011, Strecker, Dean A. wrote: > Steve, > > Thank you for your response for creating an elliptic curve key (EC_KEY). > It worked well. I'm not sure what the difference between > EC_POINT_set_affine_coordinates_GFp and > EC_POINT_set_affine_coordinates_GF2m. Time for some research. > > In the same vein of using an HSM for creating the elliptic key, I would > like to use the HSM for signing data. In particular, I want to sign > X509 certs. I have studied code for X509_sign. I think I can use > ASN1_ITEM_rptr and ASN1_item_i2d to extract the certificate data to be > signed by the HSM. I have not figured out how to save r and s from the > HSM and set appropriate cert info(e.g., algorithm) for correctly signing > the cert. > This needs to be done via an ENGINE. You currently can't redirect signing calls for EC in all operations[*] but you can for RSA, DSA. You don't mess around with ASN1_item or anything like that: the data to be signed is sent to a callback and you send back the signed data. Steve. [*] It is possible through the EVP_PKEY API which is used for signing certificates but it isn't currently used for SSL/TLS. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
