Mark Powers wrote: >>> 3.6. How will you know when you are done?: >>> When we can use pkcs11 on Apache for ECC. >>> >> >> Does this mean this project will modify OpenSSL PKCS #11 engine to >> add the support for ECC mechanisms? You might want to test with Sun Java >> System web server too. > > Perhaps I'm naive, but I thought by offering ECC mechanisms in libpkcs11 > and telling the webserver to use pkcs11, that everything would work.
No. It does not. Apache web server depends on the OpenSSL PKCS #11 engine to be able to use libpkcs11. This means we have to extend the engine for the new ECC mechanisms, for Apache to work. >>> >>> Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA, >>> CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE. >> >> I assume this list is for the softtoken library. What mechanisms will >> the kernel >> ecc software provider support? > > Same mechanisms and curves as in the softtoken library. We don't need the CKM_EC_KEY_PAIR_GEN mechanism in kernel land, if it helps. -Krishna
