Will Young wrote: > On Wed, 2009-07-08 at 15:36 -0500, Nicolas Williams wrote: >> On Wed, Jul 08, 2009 at 04:21:47PM -0400, Will Young wrote: >>> On Wed, 2009-07-08 at 14:25 -0500, Nicolas Williams wrote: > ... >>> A kmf/PKCS#11 hybrid module seems to be the only possibility aside from >>> OpenSSL or NSS that adequately covers the needed crypto operations and >>> certificate management operations. >> The nice thing about KMF is that it gives you a single interface to >> OpenSSL and NSS keystores. >> >>> But this combination also doesn't solve anything for all store types so >>> its is not a worthwhile immediate investment. >> I don't understand this last statement. > > KMF gives nice capabilities for certificate operations, i.e. to > determine the trust of a cert given a store of any type. But it really > has crypto operations that are also geared towards certificate > management purposes. I.e. atomic since certificates are small, not so > many algorithms since no one wants an odd one for their certs. > > So once one has done one's cert operations and is then ready to use the > key, one needs to drop to a specific underlying provider to do > operations xmlsec requires with the key. This means either an > implementation of crypto for each keystore type or key extraction and > the assumption that key extraction will always be allowed by the > non-default keystores. > -Will
KMF was not designed to offer a full set of crypto operations, just those that would be relevant when dealing with PKI objects - X.509 certs, RSA/DSA keys, CRLs. You can use KMF though to fetch a key handle from NSS, PKCS11, or OpenSSL and then use that key handle to do further crypto using the crypto API appropriate for the keystore. -Wyllys
