I wrote a self-defined OpenSSL engine and engine tester in ubuntu 20.4. And the OpenSSL version is 1.1.1.
The goal is to use engine in TLS session, and the first step is to use command line to sign a digest. The reference website is: https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms
But the tester use the engine by calling the function, like ECDSA_sign and ECDSA_verify in the code, which can’t act as expected. I hope to achieve the effect like:
$ openssl dgst -engine <engine_id> -sha256 -sign -out
So what should I do? And is this practicable? Thanks a lot!
Advertisement
Answer
That OpenSSL wiki page is useful for beginners to learn how OpenSSL engine works, but it is too old that a lot of APIs in the page has been deprecated, especially the ECC functions.
Yes it is practicable.
Copy your YOUR_ENGINE_NAME.so
to /usr/lib/x86_64-linux-gnu/engines-1.1/
, then edit /etc/openssl.cnf
to tell OpenSSL command line utility to start with loading your engine:
# Insert near top of file openssl.cnf: openssl_conf = openssl_init # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # ...... ...... # Insert at bottom of file openssl.cnf: [ openssl_init ] engines = engine_section [ engine_section ] YOUR_ENGINE_NAME = YOUR_ENGINE_NAME_section [ YOUR_ENGINE_NAME_section ] engine_id = YOUR_ENGINE_NAME dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/YOUR_ENGINE_NAME.so default_algorithms = ALL init = 1
You can put some printf
info in your engine’s init function. It will display after OpenSSL command line utility started if the engine is properly loaded:
$ openssl engine bind start YOUR_ENGINE init success OpenSSL>