Matthias Loepfe wrote: > Hi > > I just want to give you some background information why AdNovum has > choosen the let's call it the 'interceptor-way' of implementing > the PKCS#11 functionality. > > We are working in an environment where the main purpose of the > hardware security modules (HSM) is not crypto acceleration but > secure storage of private keys and trust ankers. And in may > situations we have more than one (different) device active. > For example one for user authentication (removable chipcard) > and the other one for server/sevice authentication. > > The problem with the ENGINE aproach is, that if you load and > register an engine for let's say RSA, the ALL RSA operations > are directed to this engine. That's not what we expect. We ONLY > want the RSA operations bound to the objects (keys, certs) > stored on the HSM, be executed on it. Under the cover we also > create an ENGINE but we do not register it, but simply use > it for the key objects.
It would be better to make this generically possible for all ENGINEs (i.e. to tie particular RSA objects to a particular ENGINE) rather than patch the code for your particular ENGINE. > > Our second goal was to implement a solution which was a plug > replacement for a 'normal' OpenSSL. That means there is NO need > to modify any application to use PKCS#11 instead of file based > keys and certs. We 'mangled' all the necessary parameters into > one string (like an URL). > > Our idea was to open the concept of a 'file' to be a 'URL'. We > simply intercepted some (by far not all) file operations and > switched (hardcoded) to our pkcs#11 code if we encounter an > PKCS11 prefix (protocol part of URL). > > If we would introduce the concept of URL's fundamentaly into > OpenSSL (with loadable URL-protocol-handlers) we would gain > a whole bunch of new flexibility. (the actual file stuff would > be the default builtin handler, which gives complete backward > compatibility). It would be possible to write an HTTP- or LDAP- > handler with wich we would be able to fetch certs from a central > point. > > Our PKCS#11 code could be put into such an URL-handler. This sounds like a great approach. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
