overload key signing function for opensc tokens...

Kevin Stefanik kstef at mtppi.org
Tue Apr 8 03:25:12 EST 2003


My best guess... openssl immediately uses the engine if RSA_FLAG_SIGN_VER flag 
is set - it doesn't check if there is an engine defined.   In this case, in 
my debugging, rsa.engine is 0x0 and the ENGINE_get_RSA() called from  
RSA_sign call doesn't verify it before referencing an element of the 
structure, so it segfaults.  

Would a cleaner patch be to use the sc_get_engine() and assign an engine?  
That doesn't seem to be happening in sc_read_pubkey at the moment.  In fact, 
I can't see that sc_get_engine is called anywhere.   I'm currently using 
0.9.7a, so shouldn't USE_ENGINE be undefined?  What if there's no USE_ENGINE?  

I'll also make my way over to openssl to see if the RSA_sign should check for 
the engine or meth->rsa_sign instead of assuming the engine.  Would that be 
the only needed fix?  It works here.

Thanks,
Kevin

On Sunday 06 April 2003 04:31 am, Markus Friedl wrote:
> On Fri, Apr 04, 2003 at 05:44:18PM -0500, Kevin Stefanik wrote:
> > I wasn't having much luck getting a key and certificate stored on a
> > hardware token to work until I made this fix.  The ssh_rsa_sign key was
> > not using either overloading.  I used the rsa.meth way, instead of the
> > engine.
>
> why does RSA_sign not use the overloaded methods?
>
> -m




More information about the openssh-unix-dev mailing list