How to use OpenSSL command line to operate(signature, for example) after loading OpenSSL engine?

527 views Asked by At

I wrote a self-defined OpenSSL engine and engine tester in ubuntu 20.4. And the OpenSSL version is 1.1.1.

The goal is to use engine in TLS session, and the first step is to use command line to sign a digest. The reference website is: https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms

But the tester use the engine by calling the function, like ECDSA_sign and ECDSA_verify in the code, which can't act as expected. I hope to achieve the effect like:

$ openssl dgst -engine <engine_id> -sha256 -sign -out

So what should I do? And is this practicable? Thanks a lot!

1

There are 1 answers

0
yoyozi On BEST ANSWER

That OpenSSL wiki page is useful for beginners to learn how OpenSSL engine works, but it is too old that a lot of APIs in the page has been deprecated, especially the ECC functions.

Yes it is practicable.

Copy your YOUR_ENGINE_NAME.so to /usr/lib/x86_64-linux-gnu/engines-1.1/, then edit /etc/openssl.cnf to tell OpenSSL command line utility to start with loading your engine:

# Insert near top of file openssl.cnf:
openssl_conf = openssl_init

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

......
......

# Insert at bottom of file openssl.cnf:
[ openssl_init ]
engines = engine_section
[ engine_section ]
YOUR_ENGINE_NAME = YOUR_ENGINE_NAME_section
[ YOUR_ENGINE_NAME_section ]
engine_id = YOUR_ENGINE_NAME
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/YOUR_ENGINE_NAME.so
default_algorithms = ALL
init = 1

You can put some printf info in your engine's init function. It will display after OpenSSL command line utility started if the engine is properly loaded:

$ openssl
engine bind start
YOUR_ENGINE init success
OpenSSL>