Hi Martin,
> I found more problems related to crypto engine support in
> OpenCA::OpenSSL. My Token->genKey bombed out with an OpenSSL error
> complaining about incorrect command line arguments.
> Short investigation showed that not all OpenSSL commands accept a
> -keyform parameter:
>
> Command -engine -keyform e
> gen(rsa|dh|dsa) yes no
> req yes yes
> ca yes yes
> spkac yes no
> dgst yes no
> pkcs7 yes no
> rand yes no
> smime yes yes (see OpenCA::OpenSSL::SMIME)
>
> When using the current code, a token implementation has to set both
> engine type and key form, such as in OpenCA::Token::OpenSC, LunaCA3 or
> my new (not yet submitted) ::nCipher:
>
> [...]
> $keys->{ENGINE} = "chil -keyform engine";
> $keys->{CERT} = $keys->{PEM_CERT};
>
> $self->{OPENSSL} = OpenCA::OpenSSL->new ( %{$keys} );
>
> This always expands to "-engine chil -keyform engine" in all
> OpenSSL commands that are using private keys, breaking most of
> the Perl module's member functions.
> (LunaCA3 even uses an -enginearg parameter. Does this really work?)
Chrysalis-ITS (now SafeNet) does not only publish an engine. They publish
a completely patched OpenSSL. Therefore they can use other parameters.
> Two ways around it, the second being a dirty hack:
>
> - introduce a KEYFORM and maybe ENGINEARG argument to
> OpenCA::OpenSSL, just like ENGINE and use it only for the
> commands that require them
> - s/-keyform\s+\S+//g or similar for all commands that cannot
> handle a keyform argument
- we should remove "-keyform engine" from the ENGINE argument and implement
an automatic detection for an engine in the functions
$cmd .= " -keyform engine" if ($self->{ENGINE});
This we can add to the three relevant commands and we have not to extend
the interface
What do you think about this third option, Martin?
> BTW: the above $keys->{CERT} = $keys->{PEM_CERT} is required and is
> missing from all token implementations short of OpenSSL.pm. I'll file a
> bug on SourceForge.
I saw it and this should be fixed in OpenCA::OpenSSL. I will do it tomorrow.
Michael
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
