Discussion:
External client certificate signature function
Fredrik Jansson
2014-10-13 11:48:34 UTC
Permalink
Hi!

I have a device where I cannot access the client certificate's private
key directly, but have access to verification and signature functions.

The certificate, in DER format, is accessible.

I need to use client certificates in my TLS connection and found the
SSL_CTX_set_client_cert_cb function. I can convert the encoded cert to
a X509 structure and return that, but I cannot provide it with a
EVP_PKEY object.

Is there any way I can instruct any of the SSL_CTX, SSL or EVP_PKEY
objects to call a signature function (that I provide) during the
handshake?

Best regards,
Fredrik Jansson
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2014-10-13 16:08:23 UTC
Permalink
Post by Fredrik Jansson
Hi!
I have a device where I cannot access the client certificate's private
key directly, but have access to verification and signature functions.
The certificate, in DER format, is accessible.
I need to use client certificates in my TLS connection and found the
SSL_CTX_set_client_cert_cb function. I can convert the encoded cert to
a X509 structure and return that, but I cannot provide it with a
EVP_PKEY object.
Is there any way I can instruct any of the SSL_CTX, SSL or EVP_PKEY
objects to call a signature function (that I provide) during the
handshake?
An EVP_PKEY structure doesn't have to contain the private key components it
can contain just the public components. Private key operations can be
redirected to a function which performs the necessary operation.

How you do that depends on the signing function you have available. Typically
you'll write a *_METHOD for the key type and an ENGINE to contain it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Fredrik Jansson
2014-10-15 11:48:46 UTC
Permalink
Hi Steve!

I will try to take that path, thank you!

//Fredrik
Post by Dr. Stephen Henson
Post by Fredrik Jansson
Hi!
I have a device where I cannot access the client certificate's private
key directly, but have access to verification and signature functions.
The certificate, in DER format, is accessible.
I need to use client certificates in my TLS connection and found the
SSL_CTX_set_client_cert_cb function. I can convert the encoded cert to
a X509 structure and return that, but I cannot provide it with a
EVP_PKEY object.
Is there any way I can instruct any of the SSL_CTX, SSL or EVP_PKEY
objects to call a signature function (that I provide) during the
handshake?
An EVP_PKEY structure doesn't have to contain the private key components it
can contain just the public components. Private key operations can be
redirected to a function which performs the necessary operation.
How you do that depends on the signing function you have available. Typically
you'll write a *_METHOD for the key type and an ENGINE to contain it.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Fredrik Jansson
2014-10-15 12:12:37 UTC
Permalink
I just realised I can create a RSA_METHOD object and set that in my engine.

But what about ECDSA_ENGINE?

There is no struct definition available in the public headers, and no
public functions to change the members of the struct, e.g. set a new
signing function.

Is this not possible with ECDSA?

Warm regards,
Fredrik
Post by Dr. Stephen Henson
Post by Fredrik Jansson
Hi!
I have a device where I cannot access the client certificate's private
key directly, but have access to verification and signature functions.
The certificate, in DER format, is accessible.
I need to use client certificates in my TLS connection and found the
SSL_CTX_set_client_cert_cb function. I can convert the encoded cert to
a X509 structure and return that, but I cannot provide it with a
EVP_PKEY object.
Is there any way I can instruct any of the SSL_CTX, SSL or EVP_PKEY
objects to call a signature function (that I provide) during the
handshake?
An EVP_PKEY structure doesn't have to contain the private key components it
can contain just the public components. Private key operations can be
redirected to a function which performs the necessary operation.
How you do that depends on the signing function you have available. Typically
you'll write a *_METHOD for the key type and an ENGINE to contain it.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2014-10-15 13:09:53 UTC
Permalink
Post by Fredrik Jansson
I just realised I can create a RSA_METHOD object and set that in my engine.
But what about ECDSA_ENGINE?
There is no struct definition available in the public headers, and no
public functions to change the members of the struct, e.g. set a new
signing function.
Is this not possible with ECDSA?
This is supported in OpenSSL 1.0.2 (currently in beta) which has some
ECDSA_METHOD_* functions which allow you to setup an ECDSA_METHOD structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...