I am using OpenSC/libp11 to access an HSM. I need to sign some data using private key generated and stored on the HSM. From libp11 I use the function:
EVP_PKEY *PKCS11_get_private_key(PKCS11_KEY *key);
to get a pointer to the EVP_PKEY structure representing the private key. Next I use the openssl functions:
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
to perform the signing operation. All these functions return successful and even the corresponding EVP_DigestVerifyInit/Update/Final functions return successul.
My question is that, in my case, is the signing operation actually being performed by/on the HSM as it is supposed to be? I have not loaded the openssl pkcs11 engine explicitly (passed NULL to the ENGINE* arg in EVP_DigestSignInit), I did not even add the engine path in my openssl conf. If the pkcs11 engine is not being used, then why do the sign/veriy functions return success?