Krishna Yenduri wrote: > Mark Powers wrote: >>>> 3.6. How will you know when you are done?: >>>> When we can use pkcs11 on Apache for ECC. >>>> >>> Does this mean this project will modify OpenSSL PKCS #11 engine to >>> add the support for ECC mechanisms? You might want to test with Sun Java >>> System web server too. >> Perhaps I'm naive, but I thought by offering ECC mechanisms in libpkcs11 >> and telling the webserver to use pkcs11, that everything would work. > > No. It does not. > > Apache web server depends on the OpenSSL PKCS #11 engine to be able > to use libpkcs11. This means we have to extend the engine for the new > ECC mechanisms, for Apache to work.
Updating the OpenSSL "pkcs11" ENGINE is a separate project by a sparate project team- there are sensitive legal issues with some of the OpenSSL ECC code that doesn't impact this case since it uses code from NSS. For Sun Java System Web Server I believe it already supports ECC keys and certs via NSS and since NSS can use the Solaris libpkcs11 it can use this case's work (though there is little point since it would likely end up being no faster since it is the same software implementation). -- Darren J Moffat
