Hi Steve!
It's good to hear from you (and reassuring to have you in the family)!
A GPK card (for example) can handle PKCS#1 operations, at least it says
so in the documentation, but I haven't been able to find any local
experts who advocate doing anything aside from Private key decrypt,
sign, and unwrap with it. That's all our local PKCS#11 API does, and it
satisfies the GemSafe and most other developmental needs.
Apparently using the card's processor for anything more becomes too
time-consuming.
I am working under Linux, so the Gemplus libraries at my disposal are
limited to David Corcoran's PCSC port (called MUSCLE) and the gp-core
libraries. All the work I've done so far with the card have involved
sending my own APDUs, but my teammate plans to steal some of the PKCS#11
API calls from the windows guys.
Where and how we want to intercept those operations is exactly what
we're trying to decide, and making OpenSSL smartcard-compatible is our
ultimate goal -- I've got little mock-up demos of hacked SSH code
working with a smartcard (adding a ssh -S option to replace the call for
reading the private DSA key from the file and redirecting it to an
address in memory read directly from the card) and the purpose of those
was to demonstrate the usefulness of the smartcard to most OpenSSL-based
applications.
I've only recently heard about the OpenSSL Engine and the convenient
hardware-based encryption support. It looks like this is the perfect
place to start in order to offer smartcard support, but we've got a lot
of learning to do before we decide where to add what --
If you have any suggestions or if there's any way that we can combine
some of our efforts, then we'd be thrilled to help -- up
until now our plan was to offer an patch to openssl-0.9.6a
which included a modified libcrypto which was able to make calls to a
card on a serial port.
If we can somehow manage a smoother, more graceful solution, we'd be
singing...
And if we can manage getting us kids sent out to Europe to see you, hey,
who'd complain? <grin>
Looking forward to hearing from you,
Gila. (And Benoit)
Dr S N Henson wrote:
> Hello,
>
> My name is Stephen Henson, I'm one of the OpenSSL core developers who
> works for Celo and thus Gemplus.
>
> What kind of facilities does the smartcard provide? Does it do high
> level PKCS#1 operations or just the raw 'private key operation'.
>
> You can intercept both operations but how and where you do this depends
> on exactly what you want to do.
>
> Which particular Gemplus libraries are you using? I'm myself getting up
> to speed on the Gemplus smart card side of things so maybe we could help
> each other here.
>
> One possible project I'm considering for OpenSSL would be to provide
> support for smartcards (and thus Gemplus smartcards) in the core source
> code. The current ENGINE architecture for OpenSSL should help with this
> but I think it needs some additional support to make it as smart card
> friendly as possible.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
Gila Monstre [EMAIL PROTECTED]
Fearless Geek (514)732-2459
Advanced Projects Group Gemplus Software
We are the total of our longings. -- Guy Gavriel Kay
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
