As part of the Globus project, we added support for PKCS#11 to OPenSSL. We have used
the Windows DLLs provided with the IButton, GemPlus, and Schlumber. We also
tested the Lintronic SDK on Solaris. Should work with the IButton on unix as well.
The GSI implements a GSSAPI on top of SSL. Certificates and
keys can be stored on the smartcard, and modified versions of
RSA_eay_private_* can use the PKCS#11 C_Sign to have the smartcard do the
RSA operations on the card. These are contained in the routine scutils.c
The PKCS#11 session and object handles are stored in the RSA ex_data fields.
and the object methods point to this modified routines.
So there are no real changes to OpenSSL.
The GSI can be obtained from ftp://ftp.globus.org/pub/gsi/gsi-041701.tar.gz
More information can be obtained from http://www.globus.org/security
Drop me a note if this is helpful.
"Steven A. Bade" wrote:
>
> I believe recently 2 individuals posted something about having
> implemented PKCS#11 support for some level of tokens. The one I can
> remember was from Eracom....
> On Thu, Jun 28, 2001 at 09:33:44AM -0700, Geoff Thorpe wrote:
> > Hi there,
> >
> > On Thu, 28 Jun 2001, Rainer Kaufmann wrote:
> >
> > > I can't belive it... nobody did use (patch) OpenSSL with client certificates
> > > on smart cards ?
> >
> > There has been more than one person I've communicated with who was in the midst
> > of adding an ENGINE to support pkcs11 tokens. If you scan the archives (see
> > www.openssl.org for a link) you may be able to track down the last couple of
> > discussions on this subject to catch up on things. There is support for a
> > variety of cryptographic hardware, including hardware that can support key
> > management - however none of them use a pkcs11 interface. Apart from pkcs11
> > being a PITA standard to operate with, it is also faster in the existing cases
> > to go directly to the hardware's preferred API than to try and go via something
> > like pkcs11.
> >
> > However, having openssl support arbitrary pkcs11 devices (well as arbitrary as
> > any pkcs11 support can be given the plethora of broken or fudged
> > implementations) would be a very handy addition. I'm happy to help where
> > possible with this (ie. anything openssl-side), but have neither the physical
> > hardware nor time to get involved in testing pkcs11 support.
> >
> > Regards,
> > Geoff
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> --
> Steven A. Bade
> AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture
> [EMAIL PROTECTED]
> T/L 678-4799
> (512)-838-4799
>
> --
> To convert from Hogsheads to Cubic Feet - Multiply by 8.4219
>
> "Two-way communication is necessary to proactively facilitate acceptance
> and involvement and to get insights about the journey it takes to get where
> we want"
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
