Massimiliano Pala wrote:
I have one problem though. I still have errors if I set the HW to FIPS140-2mode probably because no public crypto (unauthenticated to the partition) isallowed, therefore I need to set the auth on all operations either if them do not imply the usage of the CA's private key... I could use the ENV:: approach on the token.xml for the OpenSSL but, in this way, the CA's passwd would be stored in clear on the file... could we add a new keyword that specify for the token that a pwd is to be used for every operations ? For example:<name>require_auth</name> <value>yes</value> Therefore if the require_auth option is set to yes a sort of login-like password may be asked. This is different from the CA's key. Another patch I am thinking about to extend compatibility with future HSMis to provide special parameters for token. This will help to pass additionalparams to the ENGINE. For example we could use something like: <option> <name>engine_opt</name> <value>-hwkey 0/CA</value> </option> these options will be added after the '-engine XXX' extension.
I see no problems with this. Usually an engine gets its parameters via -pre and -post which we already support but it is no problem to more features. I think the next great change comes if we migrate to 0.9.8 but we should only do this on HEAD.
Michael -- _______________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
