On 5/10/2013 5:37 AM, Cristian Thiago Moecke wrote:
You have two ways to follow.
1) To use an HSM to sign, the "official" way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module, and you can use the pkcs11
engine to load it and use it.
There's no engine and no PKCS#11.
2) In some situations that is not possible (e.g. you need it to be
signed on a different remote system). And I just had the same need this
week, but for Certificate Requests. There are a lot of small
non-documented things to do in this case but basically you need to:
a) get the der encoded value of tbsCertificate field
b) hash it
c) apply pkcs1 padding and sign it
d) put the signature on asn1 form
e) add NIDs and other parameters to the cert_info field you identified.
I spent a lot of time learning from forums and openssl code
(X509_REQ_sign and functions it calls in my case) what I need to do. If
you can, go for option 1). If nto I may help you more later with 2)
Yes, your flow is the same as mine. I'm looking for advice on the C
function calls. Specifically,
Is X509_digest() useful for a) and b)?
Is there a high level call for d) and e) or must I do it using the ASN.1
API?
(My HSM does c) and I know how to prepend the OID.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
