Dr Stephen Henson wrote:
>
> > I plan to add PKCS11 directly to SSL, allowing any cryptographic
> > method availiabl on the token to be used by the library. This will
> > start with RSA, thus seem to make the point moot, but it allows
> > for much more flexible and clean insertion of PKCS in the code (IMO)
> >
> > In order to do this I think, I need to remove all non-evp RSA/DSA/DH
> > calls
> > from the ssl code. I am wondering whether there is any reason why this
> > is not
> > a GoodThing.
> >
>
> I think this is a good thing but the current OpenSSL EVP stuff isn't
> really up to the task there are some other issues as well.
>
> Making the EVP stuff up to the task is IMHO a very good thing.
Well, as I am payed doing it right now, thus have the time to do it B-)
>
> You might get away with it just for SSL but in general you might have
> problems.
>
> Firstly there is the way the EVP stuff works. You tend to have an
> EVP_CIPHER structure to describe each cipher. In the case of algorithms
> like RC2 this means you have a cipher structure with 40, 64 and 128
> bits. The cipher explicitly defines the key length and effective number
> of bits. If you want anything other than those supplied you have to do
> some nasty low level cipher specific stuff that goes outside EVP. Some
> kind of EVP_Cipher_ctrl or such like for cipher specific tweaks would
> help.
Hmm... I was planing to do away with the whole cipher for those contexts
that do pkcs11. They would know whether they are 'native' or pkcs11
ctx's
And the methods would handle them accordingly. The pkcs11 ctxs are
configured
in terms of 'mechanisms' rather than ciphers.
>
> Another problem is how you 'clone' a context, that is make an
> independent copy. One way to do this is to just copy the context
> structure. If you do that it will break PKCS#11 because the two would
> not be independent. What is needed is some kind of EVPCipherClone and
> EVPDigestClone functions and strong recommendations that that is the
> *only* supported method and of course fixing broken older code that just
> copies the structure.
Where is this cloning used? Any particular lines in the openssl code
or in applications?
>
> Another issue is how you would use token objects. Currently IMHO OpenSSL
> is rather lacking in this area. All you can really do load in files,
> anything else tends to involve an application manually setting up the
> necessary callbacks.
Yes, that I have put back, because the application I will test the
support
in, I can change to that end.
[..concpet for resource loading driver deleted..]
Cool....<uncomprehensible mumbling>....I will chew on this....B-)
mfg lutz
--
*******************************************************************
Lutz Behnke Tel.: 040 / 766 29 1423
TC TrustCenter for Security Fax.: 040 / 766 29 577
in Data Networks GmbH email: [EMAIL PROTECTED]
Am Werder 1
21073 Hamburg, Germany
S/MIME Cryptographic Signature
