Hi,
I found more problems related to crypto engine support in OpenCA::OpenSSL.
My Token->genKey bombed out with an OpenSSL error complaining about
incorrect command line arguments.
Short investigation showed that not all OpenSSL commands accept a -keyform
parameter:
Command -engine -keyform e
gen(rsa|dh|dsa) yes no
req yes yes
ca yes yes
spkac yes no
dgst yes no
pkcs7 yes no
rand yes no
smime yes yes (see OpenCA::OpenSSL::SMIME)
When using the current code, a token implementation has to set both
engine type and key form, such as in OpenCA::Token::OpenSC, LunaCA3
or my new (not yet submitted) ::nCipher:
[...]
$keys->{ENGINE} = "chil -keyform engine";
$keys->{CERT} = $keys->{PEM_CERT};
$self->{OPENSSL} = OpenCA::OpenSSL->new ( %{$keys} );
This always expands to "-engine chil -keyform engine" in all
OpenSSL commands that are using private keys, breaking most of
the Perl module's member functions.
(LunaCA3 even uses an -enginearg parameter. Does this really work?)
Two ways around it, the second being a dirty hack:
- introduce a KEYFORM and maybe ENGINEARG argument to
OpenCA::OpenSSL, just like ENGINE and use it only for the
commands that require them
- s/-keyform\s+\S+//g or similar for all commands that cannot
handle a keyform argument
I'd go for the first option.
I volunteer to implement it and resubmit the code.
BTW: the above $keys->{CERT} = $keys->{PEM_CERT} is required and is
missing from all token implementations short of OpenSSL.pm. I'll file
a bug on SourceForge.
cheers
Martin
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
