I assume you use the trustway PKCS#11 engine patch. The public key file is only needed for extracting the public key modulus, which is then used to identify (via C_FindObjects) the corresponding private key on the token. The following private key operation (C_Sign, C_Decrypt, C_Unwrap) is executed on behalf of the PKCS#11-Token, hence the private key is never exposed.
AFAIK, the trustway patch works only with a Bell-HSM or at least with a token, that does not need a login prior to use any private objects, like the CEAY-Token of GPKCS11 does by default.
Regards
Martin
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
