Darren J Moffat wrote: > Krishna Yenduri wrote: >> Mark Powers wrote: >>>>> 3.6. How will you know when you are done?: >>>>> When we can use pkcs11 on Apache for ECC. >>>>> >>>> Does this mean this project will modify OpenSSL PKCS #11 engine to >>>> add the support for ECC mechanisms? You might want to test with Sun >>>> Java >>>> System web server too. >>> Perhaps I'm naive, but I thought by offering ECC mechanisms in >>> libpkcs11 >>> and telling the webserver to use pkcs11, that everything would work. >> >> No. It does not. >> >> Apache web server depends on the OpenSSL PKCS #11 engine to be able >> to use libpkcs11. This means we have to extend the engine for the new >> ECC mechanisms, for Apache to work. > > Updating the OpenSSL "pkcs11" ENGINE is a separate project by a > sparate project team- there are sensitive legal issues with some of > the OpenSSL ECC code that doesn't impact this case since it uses code > from NSS.
Then section 3.6 needs to be changed. And the above dependency/issue needs to be called out. > For Sun Java System Web Server I believe it already supports ECC keys > and certs via NSS and since NSS can use the Solaris libpkcs11 it can > use this case's work (though there is little point since it would > likely end up being no faster since it is the same software > implementation). Yes. One would typically only do this if there is hardware acceleration available. The software implementation helps as a fallback in this case. For example, if the hardware returned a CRYPTO_BUSY error code, metaslot will use softtoken. -Krishna
