RSA key generation fails in custom provider without keymgmt_gen; fallback to default provider not working
102 views
Skip to first unread message
Garvit Varshney
Aug 18, 2025, 7:50:18 AMAug 18
to openssl-users
Hi,
I’m currently working on adding RSA signature verification support for a custom provider that leverages a hardware accelerator. As part of this, I’ve also started implementing the key management functionality. So far, I’ve added the following functions:
As per the documentation, at least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen(), or OSSL_FUNC_keymgmt_load() must be implemented, along with OSSL_FUNC_keymgmt_free() and OSSL_FUNC_keymgmt_has(). We have implemented OSSL_FUNC_KEYMGMT_NEW to satisfy this requirement.
However, when I run the speed test using:
./apps/openssl speed -elapsed -provider custom_provider -provider default -signature-algorithms
I encounter the following error:
Error initializing keygen ctx for rsa512.
80FBE5F7FF7F0000:error:03000096:digital envelope routines:gen_init:operation not supported for this keytype:crypto/evp/pmeth_gn.c:89:
pid 1150174, start-end 503825.762406017 - 503825.763196080
Upon debugging, we found that this issue is due to the absence of the gen_init function in our key management implementation.
Is there a way to allow fallback to the default provider for key generation, while keeping the custom provider responsible for signature verification? Or do we need to implement the keymgmt_gen function in our provider to support this use case?
We want to ensure that key generation can be handled by the default provider, while signing and verification operations are performed by the custom provider.
I’m currently working on adding RSA signature verification support for a custom provider that leverages a hardware accelerator. As part of this, I’ve also started implementing the key management functionality. So far, I’ve added the following functions:
- OSSL_FUNC_KEYMGMT_NEW
- OSSL_FUNC_KEYMGMT_IMPORT
- OSSL_FUNC_KEYMGMT_FREE
- OSSL_FUNC_KEYMGMT_HAS
As per the documentation, at least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen(), or OSSL_FUNC_keymgmt_load() must be implemented, along with OSSL_FUNC_keymgmt_free() and OSSL_FUNC_keymgmt_has(). We have implemented OSSL_FUNC_KEYMGMT_NEW to satisfy this requirement.
However, when I run the speed test using:
./apps/openssl speed -elapsed -provider custom_provider -provider default -signature-algorithms
I encounter the following error:
Error initializing keygen ctx for rsa512.
80FBE5F7FF7F0000:error:03000096:digital envelope routines:gen_init:operation not supported for this keytype:crypto/evp/pmeth_gn.c:89:
pid 1150174, start-end 503825.762406017 - 503825.763196080
Upon debugging, we found that this issue is due to the absence of the gen_init function in our key management implementation.
Is there a way to allow fallback to the default provider for key generation, while keeping the custom provider responsible for signature verification? Or do we need to implement the keymgmt_gen function in our provider to support this use case?
We want to ensure that key generation can be handled by the default provider, while signing and verification operations are performed by the custom provider.
Reply all
Reply to author
Forward
0 new messages