How to use openssl with a hardware encryption chip?

Question

I have a hardware that I use to generate RSA keys and signatures. I need two things:

1) Generate a certificate request. With the hardware I can get the public key for the certificate and do the signing part. I need the code to do the certificate generation, i.e., do the ASN.1/DER/PEM stuff.

2) Sign data using S/MIME. Again, I will use the hardware to do the signing part, but I need the code to do the format part: PKCS#7 to envelop both a signature and a x509 certificate resulting from the previous task.

So I could use openssl both to generate the CSR and the S/MIME formats, but openssl requires for such tasks a private key to sign, and as I said the signing I do it via hardware. I know there is a mechanism called "engines" to plug hardware functions to openssl, but it uses dynamic libraries, which are not supported on my platform (early uClinux for ARM).

So the question is: is there any other way I could force openssl to take an extern public key, and more importantly, to delegate the signing to my hardware? Otherwise, would you recommend another C/C++ library I could use to do this? I really don't need a cryptographic library, it would suffice with a library that knows how to generate those formats (certificate requests and S/MIME).

Answer 1

Engines are still your way to go, as they are the only way to offload cryptographic tasks using OpenSSL away from the library itself. As far as I understand you, you can build anything but it has to be statically linked into OpenSSL because you cannot load shared libraries (or build them?). I don't actually know uClinux, so bear with me here.

From what I remember, loading shared library is actually done through an engine called dynamic and that is a special engine to support such loading. That means OpenSSL's default assumption is that you will link during compile time and the engine can be considered readily available inside OpenSSL.

So what you want to do is create an engine that is capable of performing crypto on existing keys and build it together with OpenSSL. As an example, try to build OpenSSL natively (without modification) and run openssl engine. It will readily show you all builtin engines (one of which is dynamic but there are others such as chil for nCipher HSMs.

I had a similar problem about two years ago (though I already had a working engine) where I first needed to create a CSR w/ private key and then do crypto with that (or a different) private key (actually PKCS#7 as well). My solution was to use the command line tools to generate the key and CSR and only use OpenSSL for the most important cryptographic operations, i.e. signing and decrypting (I actually only needed the RSA sign and dec functions).

OpenSSL is a horribly documented project and I had to read a lot of its source code to get thinks working correctly. To get your engine up and running, I suggest you read some source code of engines (among others, I worked with e_capi.c which I found fairly easy to understand). For the actual engine usage, you might find some of my sscep source code helpful.

The very nice thing about engines: Once they are initialized, they operate transparently which means you initialize an engine, load a key from it and then you are set: Passing this key to OpenSSLs crypto functions is no different than using a native key.