Re: [Opensc-devel] Fwd: ECDH Engine

[Alexander G. <ago...@gm...>]

Hi Doug,

On Tue, Oct 6, 2015 at 6:00 PM, Douglas E Engert <dee...@gm...> wrote:

> I see you sent the same message to the openssl-dev list yesterday, but no
> one has responded yet.
>

Yes, they do not response too fast :(. Looks like I will need to learn the
TLS protocol and all its options.

>
> OpenSC has a engine_pkcs11 that can do ECDSA, but no one has added ECDH
> yet. The main reason was that until OpenSSL-1.0.2 the routines in
> ECDSA_METHOD that needed to be replaced were not exposed, and
> it took years for the OpenSSL people to finally do something about this.
> They added ECDSA_METHOD_set_sign and ECDSA_METHOD_set_sign.
>
> I am afraid it might be years until the ECDH has the extra routines need
> to work with an engine. To get the
> ECDSA_METHOD changes into OpenSSL I had to get the engine working using
> the ecdsa/ec_locl.h header file
> to show what was actually needed.
>

We use the stable branch and we still need to use the ecdsa/ec_locl.h and
other internal header files for the ECDSA.

>
>
> On 10/6/2015 12:37 PM, Alexander Gostrer wrote:
> > Hi Doug,
> >
> > David suggested to contact you.
> > We are writing an openssl ECDH engine. All private keys are in the
> hardware (including ephemeral keys). I found that the DH_METHOD has both
> (*generate_key) and (*compute_key) methods while the
> > ECDH_METHOD has just the (*compute_key) method.
>
> Your have the ephemeral keys in hardware? Won't that require a different
> ephemeral key for every active connection?
>

You mean if the server has few open connections then we get into a problem
of luck of the hardware space? We didn't think about it for a reason...
Probably ephemeral keys in hardware will work on the client only. And will
limit it to one active connection only. I see your point.

>
> A key is a key, and there is a EC_KEY_generate_key defined in ec.h, that
> will work for ECDSA or ECDH.
> But the ability to generate_key may also need to be exposed if you need to
> have the ephemeral keys created on the card.
> I have not looked at what this would take.
>

Right but EC_KEY_generate_key() does not have a hook inside: it will
generate a key in the software. There are hooks in EVP_KEY (EVP_PKEY_METHOD
in ec_pmeth.c) but the SSL code calls ECC_KEY stuff only.

>
> >
> > We would like (once the engine is completed) to use standard
> SSL_accept() etc calls. But the compute_key() returns shared secret based
> on previously generated public/private key pair and the public
> > key is already sent to a peer). Is there a hook to replace the public
> key before it is sent out? Any ideas/plans about adding this hook into the
> code?
>
> Not sure how to answer this.
>

By any chance do you know who has the best knowledge of SSL/TLS
implementation of openssl and will want to answer few questions?


>
> >
> > Thank you,
> > Alex Gostrer.
> >
> >
> >     On Tue, Oct 6, 2015 at 7:54 AM, David Woodhouse <dw...@in...
> <mailto:dw...@in...>> wrote:
> >
> >         On Tue, 2015-10-06 at 07:52 -0700, Alexander Gostrer wrote:
> >          > Yeah, with ECDSA we have no problems. We thought about
> submitting a
> >          > patch but the code is pretty complicated and we weren't sure
> that we
> >          > completely understand it. Also we wanted to stick with the
> stable
> >          > version.
> >
> >         You need to fix it in HEAD first. Then we can talk about
> backporting to
> >         older versions.
> >
> >          >  Do you have Doug's email? Don't want to spam other people.
> >
> >         Probably best to use the opensc mailing list.
> >         ope...@li... <mailto:
> ope...@li...>
> >
> >         --
> >         dwmw2
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------------------------
> Full-scale, agent-less Infrastructure Monitoring from a single dashboard
> Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
> Physical-Virtual-Cloud Infrastructure monitoring from one console
> Real user monitoring with APM Insights and performance trend reports
> Learn More
> http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>