Robert Relyea wrote: > On 04/21/2010 02:25 PM, Jan Just Keijser wrote: > >> Hi Andreas, >> >> >> >>> or send patches for libp11/engine_pkcs11 to handle gost. >>> (no idea how much work that would be - I'm quite clueless >>> over there. also gost engine might be much better than the >>> simple and hacky engine_pkcs11). >>> >>> but maybe I missed something in the discussion or got some >>> parts wrong? please don't let me stay stupid :-) >>> >>> >> the problem is quite subtle: >> - some applications load engine_pkcs11 and/or opensc-pkcs11 but they >> themselves do not use openssl >> - to use the gost algorithms inside of engine_pkcs11 the openssl gost >> engine (an external .so file) needs to be loaded. >> >> > So is gost calling the openssl engine or high-level code to do it's > operations? If so that seems like a layer violation, since the PKCS #11 > interface could be called from the openssl_engine. > > We have the same situation in NSS. PKCS #11 modules written with ckbi > that need to do crypto (and do not supply their own implementation) can > not call the NSS PK11_XXXX interface that applications are expected to > use. Instead the PKCS #11 modules needs to call the freebl layer used by > the NSS softoken. > > I believe openssl has the eqivalent (though I don't know if that layer > is in it's own shared library, are is exported by openssl). > > effectively gost *is* an openssl engine and the problem occurs when engines start loading each other....
JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
