Hi Douglas, Thanks a lot for your kind help.
On Nov 10, 2011, at 5:12 PM, Douglas E. Engert wrote: > This has been a very busy thread over night. > > As co-author of http://www.ietf.org/rfc/rfc3820.txt and having > worked on the Globus GSI code from 1996-2004 I would like to make some > comments. At the 1998 Supercomputing conference in Orlando, I was issuing > Globus smartcards which could be used with grid-proxy-init > using PKCS#11 and Litronic smart cards. So signing a proxy can be done > using a smart card without the key leaving the card. > > The key to be used in the proxy certificate still needs to be generated > and stored somewhere. It needs to be stored unencrypted, as it is used > automatically (no user input of a PIN or passphrase) so access to the key > is the main security concern. (If the key was encrypted, the encryption key > or passphrase would need to be stored and protected, which is another > approach.) > > You appear to want to use the NSS softtoken code, but this code still needs > to store the proxy key unencrypted somewhere. > > The original GSI stored this in a file. As best I can tell you want to store > this in some other format and maybe in memory? Yes, you are completely right. Private key of proxy is still a bottleneck of security, even if I use smart card for storing the EEC. I have not planned to improve the security of proxy, since the Grid usage model normally requires the proxy in the location specified by X509_PROXY. My intention is to utilize the more commonly used credential, since nss tokens that are more commonly used by firefox browser, and users are more familiar with them. So that the current X509_USER_CERT and X509_USER_KEY will be replaced. The replacement make users be able to use one format of credential to access website, and Grid. > > NSS and OpenSSL are both top level APIs for crypto. NSS can call PKCS#11 > easily. OpenSSL can call PKCS#11 via the engine_pkcs11. So either could > be used if the original EEC and its key are on a smartcard and used to sign > a proxy certificate. i.e. you never get the key off the card. OK, I see. Since my current code is based on OpenSSL, maybe I should choose openssl with engine_pkcs11 enabled. > > The proxy certificate and key can be created by either, but both will store > the proxy key in different formats. NSS wants to store in a database. > The question is how to export/import the proxy certificate between > applications that that use the other: NSS vs OpenSSL. As Alan pointed out > pk12 may be the way to transfer the proxy cert and key between the two. > > But the security concerns still comes down to protecting the proxy key > without requiring user intervention when using the proxy. I am not sure > if NSS gives you any more security. Thanks and Best Regards, Weizhong Qiang > > On 11/10/2011 8:40 AM, Alon Bar-Lev wrote: >> On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang<weizhongqi...@gmail.com> >> wrote: >>> As I mentioned that I need to use EEC credential to generate a proxy >>> credential (process is the same as you use CA credential to generate a EEC >>> credential). >>> The the generation step, I need to use X509_sign (int X509_sign(X509 *x, >>> EVP_PKEY *pkey, const EVP_MD *md)) which needs private key for signing a >>> X509 certificate. >>> That is the reason I need to take private key out. > > And no you don't need the key out, you need to be able to have the hash > signed. > You can use the engine code in the OpenSSL to sign. (The engine code was not > available in 1998, and so a lot of PKCS#11 code was added to grid-proxy-init.) > >>> Could you tell me how to use pkcs11-helper lib to sign a certificate without >>> taking the private key out? to use pkcs11h_certificate_sign? >>> Thanks >>> Weizhong Qiang >>> >>> >>> >> >> No, you should use X509_sign(). >> Why not use EVP_PKEY_assign_RSA(pk,rsa) and use pk? >> Not sure but maybe X509_set_pubkey(x509,pk) will be needed. >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
