Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

For an existing implementation I have to support the following "openssl pkeyutl" signing execution flows:

[openssl 1.0.2k CLI] --> [engine] --> [backendSigningSystem]

[openssl 1.1.1  CLI] --> [engine] --> [backendSigningSystem]

In each case I use the"-inkey" openssl param to pass in a private key specification string that will be used by backendSigningSystem to look up the offboard private key (rather than using a local private key on the openssl server). The engine uses a REST API to hand the backend the key specification and the hash to be signed, and backend returns a signature.

With RSA keys, my engine is able to instantiate an RSA_METHOD and override rsa_priv_enc target allowing the above to happen.

I now want to support both the above openssl versions for EC keys.  Looking in the openssl 1.0.2k code base, looks like I should be able to malloc an ECDSA_METHOD structure, set the ECDSA_do_sign method to my method, and bind that struct to the engine using ENGINE_set_ECDSA. I am in the process of trying this out and will report results here.

However ecdsa.h for openssl 1.1.1 merely includes ec.h, which does not have ECDSA_METHOD or other support that 1.0.2k did.  How would I go about overriding ECDSA_METHOD targets in 1.1.1?  Any pointers or guidance very appreciated.

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question . Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.
• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers .