Implementing OpenSSL Cryptographic Functions Using IBM's CCA Program Product
Original Publication Date: 2002-Oct-12
Included in the Prior Art Database: 2003-Jun-21
As stated on the openSSL website, the openSSL toolkit is "a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library." Of particular interest is openSSL's cryptographic library, which provides implementations for various well accepted and widely used cryptographic methods such as hashing, key generation, and digital signature creation and verification. IBM provides a similar set of cryptographic routines with the IBM CCA (Custom Cryptographic Architecture application programming interface (API) available for the IBM 4758 Secure Cryptographic Coprocessor. Implementation of the openSSL API on top of CCA provides two advantages. First, this lets openSSL-aware applications use the 4758 and in particular retain private keys on the 4758 with minimal rework, and it provides a secure computational environment for accomplishing particular cryptographic tasks. While a complete listing and explanation of all common functions between openSSL and CCA is beyond the scope of this article, implementation of the set of methods that provides the functionality listed below is sufficient to provide a proof of concept prototype that a bridge between CCA and openSSL is viable Desired Functionality for Proof of Concept Calculate the hash for arbitrary amounts of data using the following algorithms: SHA-1, MD5, RIPEMD-160 Generate RSA Public-Private key pairs of an arbitrary modulus and exponent within the allowable constraints imposed by CCA, retain the private key on the IBM 4758 Cryptographic Coprocessor, and return the public key to the calling application. Assign a generated RSA key to openSSL's High Level key structure, EVP_PKEY so that it can be passed to openSSL's signature and verification function Generate and verify a digital signature of an arbitrary amount of data using the private part of a key token, and the hash (implemented with SHA-1 MD5 or RIPEMD-160) value calculated for said arbitrary data. Implement each of these functions using IDENTICAL function prototypes as the original openSSL functions so that recompiling user code containing openSSL function calls (limited of course to only those function calls implemented in the CCA equivalent library) is not required. Instead, the user will link with the CCA equivalent library file instead of linking with the openSSL lib file providing these functions. Return error codes from these functions in the same manner as do their openSSL counterparts. OpenSSL typically returns NULL on error for functions that return a pointer, and -1,0, or 1 for functions returning a numeric value.