Hi all,
I am currently building a CA using the OpenSSL crypto library. Private keys will be stored inside an HSM. Therefore I'm considering the EVP interface as it allows using an engine towards an HSM. Examples of operations involving private keys that need to be supported are: 1. Signing a given message 2. Signing an X.509 certificate 3. Signing a PKCS #10 certificate request 4. Signing an OCSP response message Example (1) is easy to support using the EVP_Sign functions. However the three other examples are more complicated. For example 1, the x509_sign() function does not work with private keys inside an HSM, and the EVP interface does not have functions for signing an X.509 certificate. What would be the best way to implement examples 1-3 using OpenSSL? One way would be to alter the functions in the crypto library. I could, for instance, alter x509_sign() so that it talks to the HSM. But would that be the most appropriate? Thanks in advance. -- Frederik Mennes Security Architect VASCO Data Security Koningin Astridlaan 164 B-1780 Wemmel, Belgium
