On Thu, Mar 27, 2014, axisofevil wrote: > I would like to use default implementations for some ECC operations but the > OpenSC pkcs11 engine for other ECDSA operations. > > At a high level I have a Sign() & a Verify() in one app on a server - the > Sign() needs to be done via a HSM using PKCS11 interface, using EVP > functions. Keys for these operations differ. > > For system design reasons I want to do Verify() using default > implementations, no HSM involved. This Verify currently uses EC_KEY_new() > and ECDSA_do_verify(). Even if I /wanted/ HSM to do this I was getting some > fips errors despite turning off fips. > > My thinking was to register the pkcs11 ECDSA functionality JUST before the > Sign(): > if ( 1 != ( rc = ENGINE_register_ECDSA(HSM_ENGINE_pkcs11()))) > then just after > ENGINE_unregister_ECDSA(HSM_ENGINE_pkcs11()); > > This is getting to the fringe of my understanding; any guidance is much > appreciated. >
If the ENGINE only needs to support HSM private keys then you shouldn't register any methods at all. Calling ENGINGE_load_private_key should get you the appropriate EVP_PKEY structure internally set to redirect operations as appropriate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
