Hi Chris,
I have recently been working on a PKCS#11 support for
OpenSSL via a change to the EVP interface. I thing
I can, at least conceptualy, answer all the questions
below.
If you are interested I could mail you the patches
for you to have a look at them.
> >X-Mailer: Liam [version 0.7]
Whats that? never head of it.
> >
> >After my first round of adding nCipher support to SSLeay, I'm going to start
> >working on a new hardware API for OpenSSL.
Why Invent a new one? PKCS#11 is exactly designed for this. While one
might argue
that something sponsored by RSA Inc. is not as open as it can be, it is
not as
focused on SmartCards as PC/SC
> >
> >I already have some ideas about what kinds of things I want to do, but I'd
> like
> >some feedback from others.
> >
> >Some potential issues I see with OpenSSL:
> >
> >(1) Completely lacks any sort of hardware API
Yup, true, but the abstraction of the EVP layer is fairly similar to
the layer needed to put PKCS#11 Support into the code. Even when using
something other than PKCS#11 this would be a good point to start, and
EVP needs some overhaul anyway.
> >
> >(2) Doesn't have the capability internally to support calls out to
> hardware in a nonblocking fashion
I do not propose to solve this, but it might be possible by changing the
'internal' functions of the four basic crypto ops into being able to
work non-blocking.
> >
> >(3) Doesn't understand the notion of a key that it cannot see
I have solved this by spliting the key and the mechanism as it was
allways done for the symetric ciphers.
Than you can attach methods to the mechanism structures like you would
in C++ by using virtual function members, and the call gets either
passed
on to the ceay RSA implementation or the hardware.
I also split the signing structures into hash and encrypt. I currently
still
have problems getting the proper OIDs back into the ASN.1 Structures,
since
md5withRSAEncryption is just one OID, not md5 and RSA as I want the in
the
signature structure, but I am getting there.
> >
I know that I have been talking about this for a long time. But I
consider
it a grave breach of netiquette to post ~1MB to a mailing list. Even in
the
days of Mailers that send Word-Docs as primary mail contetn. I mailed
the
changes to Steve, but have not heard from him yet.
mfg lutz
--
*******************************************************************
Lutz Behnke Tel.: 040 / 766 29 1423
TC TrustCenter for Security Fax.: 040 / 766 29 577
in Data Networks GmbH email: [EMAIL PROTECTED]
Am Werder 1
21073 Hamburg, Germany
S/MIME Cryptographic Signature
