Yes, that's how my more recent engine-based code works. Maybe the best thing is to merge those two code bases and get rid of this old stuff. Thanks, Andrew
On Tue, Dec 17, 2013 at 07:56:46PM +0100, Dr. Stephen Henson wrote: > On Tue, Dec 17, 2013, andrew cooke wrote: > > > > > I should have also said that this is called by X509_REQ_sign. > > > > So, in short, the EVP_MD.digest atrtibute is not used to do signing when > > passed to X509_REQ_sign. > > > > You know, it's only writing that the word "digest" has jumped out at me. Is > > that even the right place for doing signing? Or is it meant o just > > calculate > > a digest (hash)? So that confusion may not be helping things. Sorry. > > > > The usual way to intercept public key operations is by writing an > appopriate <ALGORITHM>_METHOD for your implementation. For example in > DSA_METHOD you can write a function that takes the raw digest to sign with as > input and outputs the signature. This is normally part of an ENGINE. > > That technique will work with all versions of OpenSSL. > > There are examples in the engines directory. One makes use of CryptoAPI under > Windows to redirect RSA and DSA signing operations, see e_capi.c. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
