RE: PKCS#11 engine support

Reddie, Steven Thu, 03 May 2001 18:24:51 -0700
I've only used the two smartcard readers listed below, with Schlumberger and
GemPlus/GemPKCS cards.  I understand what you're saying, but I initially had
problems using the Schlumberger card with the GemPlus reader and concluded
that the complete PKCS#11 view of the token was influenced by the drivers
for the reader.  However, I'm now using a different batch of Schlumberger
cards with the same reader (although the reader drivers have been updated).
So, perhaps compatibility issues make it necessary to list the readers as
well as the tokens that are supported.

> -----Original Message-----
> From: Erwann ABALEA [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 6:58 PM
> To:   [EMAIL PROTECTED]
> Subject:      RE: PKCS#11 engine support
> 
> On Thu, 3 May 2001, Reddie, Steven wrote:
> 
> > Zoran, I'd be happy to test your implementation.  The PKCS#11 devices
> that I
> > have at my disposal are:
> >     Eracom CSA7001/7002
> >     nCipher nFast SCSI HSM
> 
> >     GemPlus PC410 smartcard reader
> >     Litronic Netsignia 210 smartcard reader
> 
> Please don't say that a smartcard reader is a PKCS#11 token... The token
> is the smartcard, not the reader. I think you're talking about a GemSAFE
> card accessed with a PC410 reader, right? You could use the same card with
> the Litronic reader, as soon as you splitted the code between
> reader-dependant and card-dependant. The best way to do this is to use the
> PC/SC API.
> 
> > and I think there may be a Rainbow HSM and Rainbow iKey's floating
> around
> > somewhere.
> 
> > I was gearing up to submit the OpenSSL/PKCS#11 integration that I've
> > been developing/using for the last 18 months.  It works with the
> > devices listed above, and the Rainbow CryptoSwift 300.  It's taken me
> > this long to get approval from above.  I've only implemented RSA
> > operations though, so perhaps yours is more complete.  Mine is
> > implemented using the RSA_METHOD hook rather than as an ENGINE
> > component, so yours may be more relevant.
> >
> > Regards,
> >
> > Steven
> >
> > > -----Original Message-----
> > > From:     Zoran Radenkovic [SMTP:[EMAIL PROTECTED]]
> > > Sent:     Thursday, May 03, 2001 11:42 AM
> > > To:       [EMAIL PROTECTED]
> > > Cc:       [EMAIL PROTECTED]
> > > Subject:  PKCS#11 engine support
> > >
> > > Hi,
> > >
> > > We are currently producing an OpenSSL/mod_ssl/Apache solution that
> uses
> > > our
> > > new h/w accelerator
> > > card CSA8000. This card talks to the host using PKCS#11 interface and
> it
> > > plugs-in to OpenSSL
> > > via engine API. Currently it supports 0.9.6 version (in next few days
> we
> > > will look
> > > in 0.9.6a as well). Engine support is completely PKCS#11 based (it's
> not
> > > h/w specific as other engines)
> > > and should work with any cryptoki implementation. We tested it with
> > > cryptoki for CSA7000, CSA8000
> > > adapters and s/w based cryptoki. We don't have available any
> non-Eracom
> > > cryptoki.
> > >
> > > We got approval from management to opensource this patch for openssl
> if
> > > there is an interest. It would
> > > be great if we can catch the train for 0.9.7. How far is it?
> > >
> > > I have few questions if we go further:
> > > a)   How much is engine API changed in 0.9.7. Will 0.9.6a port will
> work
> > > or
> > > is demanding significant
> > > change?
> > >
> > > b)   Does openssl development team have any means to test it with
> criptoki
> > > implementation.
> > > Because CSA8000 will be released in next few weeks it will be very
> hard to
> > > get handle to one adapter.
> > > We can maybe provide Eracom's s/w criptoki implementation for
> > > openssl-development team.
> > >
> > > c)   Is it sufficient to give you a patch for 0.9.6a or we need to
> port it
> > > on 0.9.7 shapshot  first.
> > >
> > >
> > > Cheers,
> > > Zoran Radenkovic
> > >
> > >
> > >
> > > ERACOM Products meeting today's security needs.
> > > Visit our Website at: http://www.eracom.com.au
> > > Or call ERACOM Pty. Ltd. on: +61 7 5593 4911
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project                                 http://www.openssl.org
> > > Development Mailing List                       [EMAIL PROTECTED]
> > > Automated List Manager                           [EMAIL PROTECTED]
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > Development Mailing List                       [EMAIL PROTECTED]
> > Automated List Manager                           [EMAIL PROTECTED]
> >
> 
> -- 
> Erwann ABALEA
> [EMAIL PROTECTED]
> RSA PGP Key ID: 0x2D0EABD5
> -----
> When uncertain, or in doubt, run in circles and scream.
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: PKCS#11 engine support

Reply via email to
