RE: extern private key, smart cards, RSA_METHOD_FLAG_NO_CHECK

Sun, 27 Feb 2000 15:33:27 -0800 

Steve,

Have you looked into the requirements w.r.t. posting code from a US company?
Specifically, I think you have to post to BXA as well.

Ron.

-----Original Message-----
From: Reddie, Steven [mailto:[EMAIL PROTECTED]]
Sent: Friday, 25 February 2000 11:32
To: [EMAIL PROTECTED]
Cc: Joerg Bartholdt
Subject: RE: extern private key, smart cards, RSA_METHOD_FLAG_NO_CHECK


I create my own RSA_METHOD structure which contains pointers to my RSA
public/private encrypt/decrypt functions.  It also contains a flags member
which is where I set RSA_METHOD_FLAG_NO_CHECK.  I have the private key
stored on the Hardware Security Module (HSM) and the certificate is
available to the application.  I use the Subject of the certificate to find
the private key with a matching Subject on the HSM.  When loading a key from
the HSM (ie. getting it's handle for later use) I call RSA_new_method and
pass in a pointer to my RSA_METHOD structure.  RSA_new_method copies the
flags from RSA_METHOD into the new RSA structure (key).  Another important
thing that I do is get the public modulus from the HSM key, convert it into
a BIGNUM using BN_bin2bn and then store it in RSA->n.  This is needed by
OpenSSL crypto code when determining the key length.  The _hack_ that I use
to associate the RSA key with the HSM key handle is to store the HSM key
handle in RSA->p (the private modulus).  Since my public/private
encrypt/decrypt functions are called for operations on this RSA key (via my
RSA_METHOD structure) my code knows what RSA->p really means and everything
is happy.

I'm currently chasing up what is required of me to submit code due to the
relaxed US crypto export laws.  I'll probably post some code to this list
later today.  My code is not diffs to OpenSSL, and simply needs to be linked
into your application.

Regards,

Steven
--
Steven Reddie <[EMAIL PROTECTED]>
Senior Software Developer
OpenDirectory Lab, Computer Associates Pty Ltd (Australia)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to