[xmlsec] Proposed patch to allow OpenSSL/ENGINE operations

Erwann ABALEA erwann.abalea at keynectis.com
Fri Jul 8 02:45:54 PDT 2005

Hodie post. Non. Iul. MMV est, Aleksey Sanin scripsit:
> Yes, this is better but ... I believe there should be
> even better way :) Have you looked at RSA_FLAG_EXT_PKEY flag?

Yes, it was introduced by OpenSSL 0.9.4, before the introduction of
the ENGINE part.

> From code in the crypto/rsa/rsa_eay.c file it looks like
> it is used to determine whether rsa->d will be used or not.

Nearly, yes. More precisely, it determines wether OpenSSL can use CRT
parameters to speed up the modular exponentiation, or do the standard
modular exponentiation with the full size private exponent.

> And in the same time, the same flag is used in engines/
> for *all* private keys :) Note that I am looking at source
> code for OpenSSL 0.9.8 and things might be different for
> older versions.

It works like this even on older versions (I use 0.9.7g), but some
ENGINEs don't set this flag. In fact, this flag is useful only for
specific ENGINEs, ones that can accelerate private key operations
while allowing the host to actually 'see' the private key (i.e. the
host holds the private key in memory, and the hardware token performs
the crypto operation). It doesn't work for secure tokens, such as the
ones I use (Luna cards, or Bull Trustway cards), for which a private
key can't leave the token and can't be injected into the token (it has
to be generated onboard).

So this flag can't be used for this purpose, unfortunately.

Erwann ABALEA <erwann.abalea at keynectis.com>

More information about the xmlsec mailing list