将ENGINE上下文附加到SSL_CTX [英] Attach an ENGINE context to a SSL_CTX
问题描述
我想知道是否有可能将ENGINE*实现附加到SSL_CTX*和/或SSL*结构.我要实现的是拥有一个SSL_CTX*,它将使用OpenSSL内置的默认加密操作进行设置,而另一个SSL_CTX*则将使用专用的HSM作为加密层.
I am wondering if there is a possibility to attach an ENGINE* implementation to a SSL_CTX* and/or SSL* structures. What I want to achieve is to have a SSL_CTX* that will be set with the default cryptographic operations builtin in OpenSSL and another SSL_CTX* that will use a dedicated HSM as the crypto layer.
这是我可以实现这一目标的方法吗?根据我的阅读,可以注册并设置一些默认的密码操作(随机,密码,md等),但是将使用已设置的密码操作,而不是内置的密码操作.
Is a way that I can achieve this? From what I've read one could register and set to default some cryptographic operations(random, ciphers, md, etc...) but those that have been set will be used and not the builtin ones.
例如EVP_CipherInit_ex的第三个参数为ENGINE*.以此方式初始化的EVP_CIPHER_CTX*加密/解密将通过ENGINE实现处理加密/解密.
e.g. EVP_CipherInit_ex has its third parameter an ENGINE*. Encryption/Decryption with EVP_CIPHER_CTX* initialized this way will process the encryption/decryption via the ENGINE implementation.
推荐答案
从我所看到和阅读的内容来看,你做不到.如果需要在代码中使用引擎,则有两个选择:
From what I've seen and read, you can't. If you need to use an engine in your code, you have two options:
-
将您的引擎设置为默认引擎,OpenSSL会将其用于引擎提供的所有那些方法,对于所有其他方法-将使用内置的OpenSSL方法.在这种情况下,这是您需要使用的呼叫:
Set your engine as a default and it will be used by OpenSSL for all those methods that the engine provides, for all others - OpenSSL built in methods will be used. This is the call that you would need to use in this case:
ENGINE_set_default(engine,ENGINE_METHOD_ALL)
ENGINE_set_default(engine, ENGINE_METHOD_ALL)
将引擎设置为几种选定的方法,例如下面的代码仅将其设置为RAND方法:
Set your engine for a few chosen methods, e.g. code below will set it up for the method RAND only:
ENGINE_set_default(engine,ENGINE_METHOD_RAND)
ENGINE_set_default(engine, ENGINE_METHOD_RAND)
您可以在此处找到更多示例: https://www.openssl.org /docs/manmaster/crypto/engine.html 和openssl的README.ENGINE中.
You can find more examples here: https://www.openssl.org/docs/manmaster/crypto/engine.html and in openssl's README.ENGINE.
换句话说,引擎是全局设置,如果要将其映射到SSL_CTX对象,则需要手动维护该映射.
In other words, engine is a global setting and if you want to map it to an SSL_CTX object, you would need to maintain that map manually.
顺便说一句,我很高兴被证明是错误的,因为我自己需要这种功能,并希望将来能够实现.
BTW, I would be glad to be proven wrong, because I need this kind of functionality myself and hope that it will be implemented in the future.
这篇关于将ENGINE上下文附加到SSL_CTX的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
