Martin Paljak wrote: > On Mar 4, 2010, at 22:23 , Andreas Jellinghaus wrote: >> Am Donnerstag 04 März 2010 16:20:15 schrieb Douglas E. Engert: >>> The other questions to ask, are what features from OpenSSL >>> are being used, and could these be easily replaced. >>> I know the PIV uses BIO, PEM and RSA functions to read >>> and write public keys to files, mostly to make them text files. >>> But it also use the EVP_encrypt and EVP_decrypt to use >>> with the public keys, as the card can not do these. >> maybe padding routines? not sure if we use some, but we could >> support more padding mechanism, if we add padding in software >> and use rsa decrypt for signing. needs to be done for cardos >> at least anyway (for keys that are signing & decryption). > OpenSSL provides a variety of functions (so does OpenSC). > > Most uses of OpenSSL inside OpenSC seem to be either "utility" in nature or > symmetric encryption, bignum etc. > >>>> so I wonder if we should simply require openssl for trunk. >>>> I don't know a single user that does not compile opensc with >>>> openssl, or what use opensc would be in such a situation. >>>> >>>> what do you think? >>> So I would say to require OpenSSL. > Same here. Even though there are better, smaller and easier alternatives, > OpenSSL is the closest thing to "industry standard". >
I was just asking if you were thinking of using some thing else. Some other packages have replaced OpenSSL because of license issues. (For example we ran into some problems when nscd/nssldap switched to using gnutls.) > At the same time, there's a point in allowing building without it. Maybe a > big fat warning would be better. Flipping the switch in configure.in would > not change much for "casual users" who, as discussed before, usually get > their stuff from distro packages. Like there will always be folks who want to > use OpenSC with OpenCT, there will be some who will say "I want it without > this openssl bloat" > I would not allow OpenSC to be built without OpenSSL or a replacement, as too many of the card drivers depend on it, (at least the card driver I am interested in) > On platforms like OpenWRT, it is sometimes a shame to download a package that > needs to do md5 and pulls in the whole XXX kilobyte openssl library... > > >>> If on the other hand are looking at using gnutls to replace >>> OpenSSL? >> I haven't had a look at any other crypto/ssl implementation, >> as only OpenSSL has an engine support, so only with openssl >> we can use it's ssl code with smart cards. > OpenSSH "engine" implementation is its own private API for "things that > PKCS#11 could do as well". GnuTLS provides pkcs#11 support so it should work > out of the box for SSL/TLS with PKCS#11 based keys. > > OpenSC does not implement anything related to SSL/TLS. For example NSS as > well implements SSL/TLS and it can use OpenSC PKCS#11 module. There's no > relation. > > >> but in general I'm open to other crypto/ssl libraries, >> and feedback which ones might be interesting, is very welcome. >> I know openssl, gnutls, mozilla/netscape nss, libcrypto++, >> and - forgot the name - the commercial crypto routines by >> peter gutmann from auckland.nz. > > NaCL, by DJB > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
