Dear Dr.Pala, You can take a look at
https://github.com/gost-engine/engine/blob/master/gost_eng.c and use OBJ_create (https://www.openssl.org/docs/man3.0/man3/OBJ_create.html) to register new NIDs. If you want just PKI/CMS, it would be enough. I should notice that ENGINE interface is deprecated so for OpenSSL 3.0 you'd better implement a provider for your purposes. On Tue, Aug 30, 2022 at 6:58 PM Dr. Pala <direc...@openca.org> wrote: > Dear OpenSSL, > > I have a question for the community. Specifically, I am changing the > implementation that we are working on for Composite Crypto from directly > patching the OpenSSL library with a new method, we want to add it > dynamically - this makes it easier to use Composite Crypto with existing > OpenSSL deployments. > > One very discouraging thing when you do that is that with all the masking > of data structures, it becomes quite difficult to work on low-level > implementations and it might require including some definitions of data > structures. > > Besides this side-notes, the issue we are facing is related to how to link > the OID for the public key algorithm with the NID for the dynamically added > one. Let me explain with some code. > > When our LibPKI starts up, it initializes the crypto layer and adds the > Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD: > // We Need to initialize the ASN1 conversion method > // https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_ASN1_METHOD.html > if (!EVP_PKEY_asn1_add0(&combined_asn1_meth)) return 0; > // We also Need to initialize the PKEY method for the algorithm > // https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html > if (!EVP_PKEY_meth_add0(&combined_pkey_meth)) return 0; > > However, as part of the two structures, the pkey NID is already defined in > the structure (pkey_id). This was all working fine because the pkey_id was > the NID_composite that was originally generated via the objects tools > (i.e., you can use the two functions OBJ_nid2obj() and OBJ_obj2nid() with > the NID_composite value), however... I cannot find how to do this with the > static version. > > I tried to create the object with the OBJ_create() first and then assign > it to the relevant fields of the methods: > // Let's create the Initial OID for Composite Crypto > NID_composite = OBJ_create("1.3.6.1.4.1.18277.2.1", "composite", > "pk-Composite"); > if (NID_composite == NID_undef) return 0; > // // Assigns the generated IDs > composite_asn1_meth.pkey_id = NID_composite; > composite_asn1_meth.pkey_base_id = NID_composite; > composite_pkey_meth.pkey_id = NID_composite; > > right before adding the method(s) to the library with the > EVP_PKEY_meth_add0() and EVP_PKEY_asn1_add0(). This seems a bit clunky to > me and I am facing some weird memory issue when I assign the pkey_id on the > pkey meth (but that can simply be an issue with a pointer somehow... ). > > I was wondering if there is a better approach. > > Specifically, I was thinking about generating the methods data structures > with the dynamic allocation (EVP_PKEY_meth_new) and then assigning the > different callbacks instead of using the _add0() functions ... however also > that approach requires us, if I am not mistaken, to generate the OIDs > first, retrieve the ID from it, and then use the > EVP_PKEY_meth_new()/EVP_PKEY_asn1_new() to generate the new methods. This > second approach requires a bit more code to do all the assigning (instead > of just assigning the structure once) but it helps with not requiring > exporting the internals of the method(s) structure itself. > > Is there a better way to provide the algorithm? > > The last path that I was thinking was to provide an ENGINE implementation, > but that seemed a bit more complicated (probably mostly because I have > never had to implement the interface...). > > Thank you for your help and have a wonderful day! > Cheers, > Max > > -- > Best Regards, > Massimiliano Pala, Ph.D. > OpenCA Labs Director > [image: OpenCA Logo] > -- SY, Dmitry Belyavsky
