PKCS#11 keys

Douglas E Engert deengert at
Sun Feb 14 02:13:40 AEDT 2021

You are partially right.
The rsa_idx, and ec_key_idx should not be set to 0, but should be set
using RSA_get_ex_new_index() as is done later in:

rsa_idx = RSA_get_ex_new_index(0, "ssh-pkcs11-rsa",

This then allows for multiple components to store data in a key.
The index is not of the key, but of extra data that can be stored in a key.
Thus every key can have its own "ssh-pkcs11-rsa" with different data.

The ec_key_idx is set in:
and is also in OpenSSL-1.0.2.

OpenSC/libp11 examples start here:

On 2/13/2021 8:22 AM, Dmitry Belyavskiy wrote:
> Dear Douglas,
> Everything is fine with methods. But I'm speaking about the variables rsa_idx and ec_key_idx, sorry for being unclear.
> They serve as handles in a global OpenSSL table and identify a pkcs11_data associated with a particular key, don't they?
> On Sat, Feb 13, 2021 at 3:07 PM Douglas E Engert <deengert at <mailto:deengert at>> wrote:
>     These lines are for METHODS, i.e. RSA_METHOD and EC_KEY_METHOD. RSA keys can share an RSA_METHOD,
>     and EC keys can share an EC_KEY_METHOD.  A method can be copied, for example an OpenSSL engine
>     for using PKCS11, would then provide the routines in the method to not use the default software version
>     of RSA signature or decrypting operations, but use PKCS11 to have these operations done on the token or smart card.
>     So for RSA keys on the token, all these keys would share a copied and modified RSA_METHOD PKCS11 method
>     where the rsa_idx in these keys is used to point to key specific data such as PkCS11 slot and KeyIDs.
>     On 2/12/2021 10:31 AM, Dmitry Belyavskiy wrote:
>      > Hello,
>      >
>      > Do I correctly understand that there can't be more than one key of each
>      > type of PKCS#11?
>      >
>      > The lines
>      >
>     <>
>      > seem to use the global variables for RSA/ECDSA pkcs11-related data
>      > structures.
>      >
>      > Many thanks!
>      >
>     -- 
>        Douglas E. Engert  <DEEngert at <mailto:DEEngert at>>
>     _______________________________________________
>     openssh-unix-dev mailing list
>     openssh-unix-dev at <mailto:openssh-unix-dev at>
> <>
> -- 
> Dmitry Belyavskiy


  Douglas E. Engert  <DEEngert at>

More information about the openssh-unix-dev mailing list