Create EVP_PKEY from private key on token

[dlansky1]

In my application, I need to create an EVP_PKEY object to be used with EVP_DigestSign.
The private (EC) key itself is stored on the PKCS#11 device.

I tried something in the line of:

// Create a parameter builder
param_bld = OSSL_PARAM_BLD_new();
// Add the curve name to the parameters
OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_PKEY_PARAM_GROUP_NAME, "prime256v1", 0);
// Add the PKCS#11 private key handle to the parameters
// I was not actually expecting this to work... but just to show my thinking
OSSL_PARAM_BLD_push_ulong(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, my_pkcs11_priv_key_handle);
// Build the parameters
params = OSSL_PARAM_BLD_to_param(param_bld);

// Create a new EVP_PKEY context
pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
// Initialize the context for parameter setting
EVP_PKEY_fromdata_init(pkey_ctx);
// Set the parameters
EVP_PKEY_fromdata(pkey_ctx, &pkey, EVP_PKEY_KEYPAIR, params);

// Use pkey with openssl API to sign some text...

When running this, the EVP_PKEY_fromdata() call fails inside p11prov_obj_import_key(),
with "Only public keys are supported".

My questions are:

1. What is the right way to create EVP_PKEY with a given, pre-installed pkcs11 private key?
2. If this is not supported today, can anyone suggest a concept how to support it in pkcs11-provider,
   i.e. which function to modify, etc?

[simo5]

The import part should be resolved in the main tree, what version (or git snapshot) are you using ?

However if the key is actually in the pkcs#11 module you should simply use the STORE api and load the key via a pkcs11 URI.

If they key is not on the token, why are you trying to import it in the token with EVP_PKEY_fromdata()? That function will only create a session key at best (ephemeral key that goes away as soon as you close the session/application).