On Sun, Mar 20, 2011, Strecker, Dean A. wrote: > > Steve, > > The project I'm working on is not an SSL solution. I just need to > create keys and sign certificates and a few other cryptographic > activities. I'm using the OpenSSL crypto library to create/manage > certificates. My only remaining hurdle is to sign the certs using an > elliptic curve key and the HSM. Your reply seems to indicate that I > should be able to accomplish that using the EVP_PKEY API. I currently > assign the elliptic curve key (EC_KEY)to an EVP_KEY using EVP_PKEY_new > and EVP_PKEY_assign_EC_KEY. If I'm reading correctly, I might be able to > do something like call EVP_PKEY_meth_set_sign and then call x509_sign > with the EVP_PKEY. Could it be that easy? >
It is rather more complex than that. If you look in crypto/ec/ec_pmeth.c you'll get some of the code involved. You can ignore a lot of it such as the keygen and ECDH parts. Then you have to encapsulate the result in an ENGINE. I should point out that although this should work there is only one example at present and that just provides new functionality (GOST ENGINE) and doesn't provide and alternative implementation of an existing algorithm. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
