I would like to use default implementations for some ECC operations but the OpenSC pkcs11 engine for other ECDSA operations.
At a high level I have a Sign() & a Verify() in one app on a server - the Sign() needs to be done via a HSM using PKCS11 interface, using EVP functions. Keys for these operations differ. For system design reasons I want to do Verify() using default implementations, no HSM involved. This Verify currently uses EC_KEY_new() and ECDSA_do_verify(). Even if I /wanted/ HSM to do this I was getting some fips errors despite turning off fips. My thinking was to register the pkcs11 ECDSA functionality JUST before the Sign(): if ( 1 != ( rc = ENGINE_register_ECDSA(HSM_ENGINE_pkcs11()))) then just after ENGINE_unregister_ECDSA(HSM_ENGINE_pkcs11()); This is getting to the fringe of my understanding; any guidance is much appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/How-to-swap-engines-register-functionality-on-the-fly-tp48982.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
