Hi,
I already wrote about my efforts to support nCipher HSM for OpenCA. Currently I am trying to write my own OpenCA::Token::nCipher module that accesses nCipher hardware.
While doing so I encountered a problem:
OpenCA::OpenSSL does not support a wrapper executable for OpenSSH. This is required for using OpenSSL with the HSM (see my other mail).
Invocation example: /opt/HSM/bin/somewrapper /usr/local/ssh/bin/openssl <arguments>
It *could* be possible to specify wrapper and openssl executable together as SHELL, but the current implementation of OpenCA::OpenSSL checks for existance of the OpenSSL binary, causing an error because the file "/opt/HSM/bin/somewrapper /usr/local/ssh/bin/openssl" does obviously not exist.
So in order to support the nCipher module something has to be done here. I see two options:
a) extend OpenCA::OpenSSL to accept a wrapper executable by using a new configuration variable, e. g. "WRAPPER" or "PRELOAD" that is simply put in front of the OpenSSL command invocation b) modify OpenCA::OpenSSL to accept the wrapper executable as part of the OpenSSL path by modifying the -e check at the end of the OpenCA::OpenSSL::new constructor.
I would really prefer a) because b) is more like a dirty hack.
What do you think in terms of integration into the software?
A wrapper is the correct way.
token.xml:
<option> <name>WRAPPER</name> <value></value> </option>
I attached a changed OpenSSL.pm and token.xml. It is only tested for use without the wrapper. So you must test it for use with a wrapper by yourself.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
fix.tar.gz
Description: application/gunzip
