DNSSEC Signers and OpenSSL
(No Ratings Yet)
Loading ...We have been playing with the various dnssec zone signers to see how they could work with crypto hardware like the SCA6000 I blogged about the other day. However all of them expect the public and private keys to be stored on disk and have their own code to push these keys into openssl. Clearly this makes telling them to use a key stored in an HSM impossible. Based on our initial observations we suggest that signers should take the following approach.
- Use the OpenSSL EVP API.
- When you need to put the public keys into the zone ask openssl for them
- Always use openssl to handle the keys. If you want them put in a file then tell openssl to do it.
The EVP API is a high level layer of abstraction that can be used with message digests, symmetric ciphers and public key algorithms like RSA and DSA. This is an example of some code that will use EVP to sign the message “Hello World!” with RSA SHA1 using a key with the id=63 in the SCA6000 keystore. It uses the opensc pkcs11 engine to talk to the keystore. (This code is hacked together from examples in the openssl man pages)
#include <stdio.h>
#include <stdlib.h>
#include <openssl/engine.h>
#include <openssl/conf.h>
int main(int argc, char *argv[])
{
ENGINE *e;
const char *engine_id = "pkcs11";
const char *key_id = "63";
UI_METHOD *ui_method;
EVP_PKEY *priv_key;
void *cb_data;
const char *config_name = NULL;
const EVP_MD *md_type;
EVP_MD_CTX ctx;
unsigned char sig[256];
unsigned int s, i;
if(!argv[1]) {
printf("Usage: EVP_signer digestnamen");
exit(1);
}
/* Load the config file */
OPENSSL_config(config_name);
/* Register engine */
printf("Registering enginen");
e = ENGINE_by_id(engine_id);
if(!e) {
/* the engine isn't available */
printf("The engine isn't availablen");
return;
}
if(!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */
printf("The engine couldn't initialisen");
ENGINE_free(e);
return;
}
if(!ENGINE_register_RSA(e)){
/* This should only happen when 'e' can't initialise, but the previous
* statement suggests it did. */
printf("This should not happenn");
abort();
}
/* Load private key */
printf("Loading private keyn");
priv_key = ENGINE_load_private_key(e, key_id, ui_method, &cb_data);
/* Create a message to sign */
printf("Creating messagen");
char message[] = "Hello World!";
/* initializes a signing context */
printf("Init ctxn");
OpenSSL_add_all_digests();
md_type = EVP_get_digestbyname(argv[1]);
if(!md_type) {
printf("Unknown message digest %sn", argv[1]);
exit(1);
}
EVP_MD_CTX_init(&ctx);
EVP_SignInit(&ctx, md_type);
/* Update the context with the message */
printf("Update ctxn");
EVP_SignUpdate(&ctx, message, strlen(message));
/* Do the signing */
printf("SIGN!n");
EVP_SignFinal(&ctx, sig, &s, priv_key);
/* Print out the sig */
printf("Sig is: ");
for(i = 0; i < s; i++) printf("%02x", sig[i]);
printf("n");
/* Cleanup */
printf("Cleanupn");
EVP_MD_CTX_cleanup(&ctx);
/* Release the functional reference from ENGINE_init() */
ENGINE_finish(e);
/* Release the structural reference from ENGINE_by_id() */
ENGINE_free(e);
}
February 22nd, 2007 at 9:18 am
If you are looking for ways to speed up RSA signing you may be interested in http://www.via.com.tw/en/initiatives/padlock/features.jsp#rsa
Kim Minh.
April 12th, 2007 at 2:11 pm
[…] OpenSSL provides a set of engine functions to allow you to access cryptographic modules. I have used these before to access a Sun SCA6000 via pkcs11. In those examples I always assumed the necessary configuration settings were in the openssl config file. However some settings would be better set on the fly. For example, you wouldn’t want the password required to access the keystore to be kept on disk in the config file. […]