Re: pkcs#11 engine for openssl
Hi Gilad, You must copy the public key file generated by openssl (cakey.pem) in usr/local/appache/ssl.crt/server.key. The pkcs#11 engine load_private_key function read the public key file to find the private key in the hardware. cheers Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com the Hi Afchine, After along vacation I am back in business. I have tried applying your mod_ssl patch on the pkcs#11 engine to try and work the apache with ssl using my Smart Card. I tried before that a simple mod_ssl instalation (software keys only ) and every thing seems to be working fine. Unfortunately I was not able to run mod_ssl with the pkcs#11 patch. It may be due to some differences on how your hardware behaves compared with a regular Smart Card. Can you pin point me to the source of the problem using the debug log I got from apache mod_ssl engine ? Thanks. P.S. FYI I am working also on engine support to secxml library and I will test it with the pkcs#11 engine. Gilad Create RSA private and public on my PKCS#11 SmartCard --- openssl req -engine pkcs11 -keyform e -new -x509 -keyout cakey.pem -out cacrt.pem -days 365 cp cacrt.pem /usr/local/appache/ssl.crt/server.crt = copy the certifictae created to the apache directory I can verify the creation of the RSA keys was succesfull and they are present on the Smart Card When trying to run /usr/local/apache/bin/apachctl startssl I get pache:mod_ssl:Error: Private key not found. **Stopped ../bin/apachectl startssl: httpd could not be started mod_ssl ssl_engine_log: --- [29/Jul/2003 16:01:56 14867] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:01:56 14867] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:01:56 14867] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:01:56 14867] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:01:56 14867] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : [29/Jul/2003 16:09:18 14885] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:09:18 14885] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:09:18 14885] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:09:18 14885] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:09:18 14885] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HOWTO for pkcs11 patch?
Hi, I have written this patch to be used with a hardware Crypto PKCS#11 accelerator which can store keys. It is used in my company in TrustWay SSL accelerator and, TrustWay Apache-SSL accelerator with the Bull PCI CC2000 HSM. Our HSM doesn't require C_Login. I believe that call to C_Login is mandatory on a smartcard. In this case you must add it in the code. Gilad Finkelstein is working on it and I think that he will submit some changes for smartcard use. About the handling of keys: I have added a new entry (RSA_generate_key) in the RSA_METHOD to enable key generation in openssl. In the standard method (0.9.6-engine and 0.9.7) we are able to load keys (load_public_key and load_private_key) but it is supposed that the key is generated and stored outside openssl. In the Bull TrustWay patch rsa_generate_key call PKCS#11 C_GenerateKeyPair, to generate a key pair in the HSM. While the private key leave stored in the HSM, the public key is stored in a pem file on the disk. In standard mode you have the private key in this file. The modulus and exponent of the public key stored in the pem file permits to find the private key. I join the shell script used to generate CA and server certificates and also the patch to apply to mod_ssl if you want to use apache-mod_ssl with openssl-pkcs#11 libcrypto. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Reinhard Moosauer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 8:48 AM Subject: HOWTO for pkcs11 patch? Hello List, trustway's pkcs11-patch came with basically no info about it's usage. Especially the handling of stored keys on the smartcard is obscure. (openssl normally can only deal with files) req -newkey .. seems to work, but the key is not written to the card Please, please can anybody give some examples? TIA kind regards, Reinhard __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] CA-pkcs11.sh Description: Binary data tw-mod_ssl-2.8.14-1.3.27.patch Description: Binary data
Re: pkcs#11 engine for openssl
Hi Gilad, You have to made some little changes in mod_ssl (like defining SSL_EXPERIMENTAL_ENGINE , generating temp keys, how to init terminate the engine). In attached you can find my patch to mod_ssl. Once you have initialized the engine in your application, your RSA_method calls are redireted to the engine instead of the software crypto. In the case of the actual pkcs#11 engine, RSA, random load_key are called true the engine, but EVP calls (cipher digest), and DH DSA aren't yet implemented. I am working to complete that and also to map the new store_key (0.9.8) to my RSA generate added in the RSA_method. So we can have a more generic and complete pkcs#11 engine when I'll finished this work! Regards, Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 7:33 PM Subject: RE: pkcs#11 engine for openssl HI Afchine, I probably do not understand fully the concept of the engine module in openssl maybe you can help. My understanding is that you must call certain ENGINE_ API so that from that point on every regular call to libeay32 function that involves crypto and is supported by the engine will be directed to the engine. The SSLeay32 lib does not know about engines at all.(and for that meter any other library that is based on libeay32 or ssleay32) I read you tested the patch with mod_ssl which is based on openssl. My hope is you did not have to change any code in the mod_ssl to make it work with pkcs#11 engine, in that case how did you manage to tell mod_ssl - ssleay32 -libeay32 to use pkcs#11 engine ? Is their some parameter you can use via mod_ssl or ssleay32 that sets specific engine usage on ? If you did change the mod_ssl can you please tell me what functions you need to use to invoke the Engine and where. My idea (if that is not supported already) is to allow automatic initialization of the libeay32 library with a specific engines when a certain environment variable is on (USE_OPENSSL_ENGINES) with the value of the engine id name. This way all relaying libraries will be able to use the engine transparently without the need of calling the Initialization logic of a certain engine. What do you think ? Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:18 AM To: Gilad Finkelstein Cc: [EMAIL PROTECTED]; Ren? Martin Subject: Re: pkcs#11 engine for openssl Hi Gilad, Thanks for your advice. I don't use C_Login in the, because the session is always public, and if it's called, the C_Login returns always CKR_OK. (case of crypto hardware). In case of smartcards , you're right, it is mandatory to add a C_Login to take into the user session. So, I agree with you to add the C_Login to the open session function. I think that each evolution and ability added to the pkcs#11 engine , like creating certificate on the hardware, is welcome. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:20 AM Subject: FW: pkcs#11 engine for openssl newbie question Hi, My apologizes for the first item (pack requirements) I have checked the code and found your remark on setting the CK_Win32 to enable pack of 1 on windows platforms. I had to add a C_Login in your open session function to enable access to the private keys for sign and generate operations. (And I think you would agree this should be the generic case of pkcs#11 implementation) I would also like to add the ability to create the certificate on the hardware token and not as a file. Thanks for your help Gilad -Original Message- From: Gilad Finkelstein Sent: Sunday, June 15, 2003 11:48 AM To: 'Afchine Madjlessi' Subject: RE: pkcs#11 engine for openssl newbie question Hi, I have progressed allot and can inform you of the following information I found. 1. Your code assumes pkcs11 function structure list pack of 4, my cryptoLibrary uses pack 1 (and so is RSA one) I think it would be safer to use pack 1 when compiling on win32 platform (using the #pragma pack) 2. I do not understand how your code successfully generates a key pair without C_Login first. It seems not to use the pkcs#11 standard of C_Login when ever a private key operation is required. I added in my code a pkcs#11_login for cases like this and now I am able to generate keys on my hardware. If I find more things I will let you know. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:18 PM To: Gilad Finkelstein Subject: Re: pkcs
Re: pkcs#11 engine for openssl
Hi Gilad, Thanks for your advice. I don't use C_Login in the, because the session is always public, and if it's called, the C_Login returns always CKR_OK. (case of crypto hardware). In case of smartcards , you're right, it is mandatory to add a C_Login to take into the user session. So, I agree with you to add the C_Login to the open session function. I think that each evolution and ability added to the pkcs#11 engine , like creating certificate on the hardware, is welcome. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:20 AM Subject: FW: pkcs#11 engine for openssl newbie question Hi, My apologizes for the first item (pack requirements) I have checked the code and found your remark on setting the CK_Win32 to enable pack of 1 on windows platforms. I had to add a C_Login in your open session function to enable access to the private keys for sign and generate operations. (And I think you would agree this should be the generic case of pkcs#11 implementation) I would also like to add the ability to create the certificate on the hardware token and not as a file. Thanks for your help Gilad -Original Message- From: Gilad Finkelstein Sent: Sunday, June 15, 2003 11:48 AM To: 'Afchine Madjlessi' Subject: RE: pkcs#11 engine for openssl newbie question Hi, I have progressed allot and can inform you of the following information I found. 1. Your code assumes pkcs11 function structure list pack of 4, my cryptoLibrary uses pack 1 (and so is RSA one) I think it would be safer to use pack 1 when compiling on win32 platform (using the #pragma pack) 2. I do not understand how your code successfully generates a key pair without C_Login first. It seems not to use the pkcs#11 standard of C_Login when ever a private key operation is required. I added in my code a pkcs#11_login for cases like this and now I am able to generate keys on my hardware. If I find more things I will let you know. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:18 PM To: Gilad Finkelstein Subject: Re: pkcs#11 engine for openssl newbie question By default the pkcs#11 engine looks for the bull hardware crypto. For your purpose you have to undef BULL_CC2000 and in the hw_pkcs11.c (in crypto/engine directory) and recompile. Then your pkcs#11 api library must be called libpkcs11.so on linux or pkcs11.dll on win32. Good luck Afchine - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:57 PM Subject: RE: pkcs#11 engine for openssl newbie question Thanks for your reply, I tried the script and got signal 11 on every attempt. Is the engine looking for a certain pkcs#11 library name (e.g pkcs11.so || pkcs11.dll ) ? I use cygwin on windows2000 with a .dll for pkcs#11 interface to my smart card. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 3:37 PM To: Gilad Finkelstein Cc: [EMAIL PROTECTED] Subject: Re: pkcs#11 engine for openssl newbie question Hi, I used the joined shell to generate key pair on my crypto hardware, a CSR, and make a self-signed certificate. Regards Afchine Madjlessi - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:21 PM Subject: pkcs#11 engine for openssl newbie question HI, I address you as a last resort since I can not find any answers in openssl groups/web on how to use engines in general and pkcs#11 interface in particular. Can you please direct me to a descent place where I can see how to use your generic pkcs#11 openssl engine. Can a simple test be run via openssl util ? how ? any other test that for example generates RSA key on my smart card ? I was able to compile openssl 0.97 with your patch but I am not sure what should I do next (I compiled both on Linux and on Windows using cygwin) If I am able to use openssl over my hardware PKCS#11 token I intend to write a FAQ on how to achive that (if that was not written already somewhere ) Thanks Gilad Finkelstein __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs#11 engine for openssl newbie question
Hi, I used the joined shell to generate key pair on my crypto hardware, a CSR, and make a self-signed certificate. Regards Afchine Madjlessi - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:21 PM Subject: pkcs#11 engine for openssl newbie question HI, I address you as a last resort since I can not find any answers in openssl groups/web on how to use engines in general and pkcs#11 interface in particular. Can you please direct me to a descent place where I can see how to use your generic pkcs#11 openssl engine. Can a simple test be run via openssl util ? how ? any other test that for example generates RSA key on my smart card ? I was able to compile openssl 0.97 with your patch but I am not sure what should I do next (I compiled both on Linux and on Windows using cygwin) If I am able to use openssl over my hardware PKCS#11 token I intend to write a FAQ on how to achive that (if that was not written already somewhere ) Thanks Gilad Finkelstein CA-pkcs11.sh Description: Binary data
Re: [openssl.org #432] pkcs#11 engine for openssl 0.9.7 0.9.6
Hello Richard, Richard Levitte via RT wrote: It's unfortunate that cryptoki.h is GPLd, or I would put it in our contribution area. GPL is not compatible with the OpenSSL license. Is it possible to get a different cryptoki.h? I got the original cryptoki.h which is not GPLd from RSA and is a sample for Windows environment. I have added necessary changes for Unix-like platforms. Also, is conf.h really necssary? You're absolutely right, conf.h is not necessary. I take it off. I'm willing to do the transformation needed for this bundle to work properly within OpenSSL. So, you can find attached to this mail updates taking in account your advice. Cheers, Afchine Madjlessi __ [EMAIL PROTECTED] Bull TrustWay RD, France http://www.servers.bull.com/trustway trustway-pkcs11-openssl-engine-0.9.6h.patch.gz Description: GNU Zip compressed data trustway-pkcs11-openssl-0.9.7.patch.gz Description: GNU Zip compressed data
[PATCH] pkcs#11 engine for openssl 0.9.7 0.9.6h
Hello Richard, Richard Levitte via RT wrote: It's unfortunate that cryptoki.h is GPLd, or I would put it in our contribution area. GPL is not compatible with the OpenSSL license. Is it possible to get a different cryptoki.h? I got the original cryptoki.h which is not GPLd from RSA and is a sample for Windows environment. I have added necessary changes for Unix-like platforms. Also, is conf.h really necssary? You're absolutely right, conf.h is not necessary. I take it off. I'm willing to do the transformation needed for this bundle to work properly within OpenSSL. So, you can find attached to this mail updates taking in account your advice. Cheers, Afchine Madjlessi __ [EMAIL PROTECTED] Bull TrustWay RD, France http://www.servers.bull.com/trustway trustway-pkcs11-openssl-0.9.7.patch.gz Description: GNU Zip compressed data trustway-pkcs11-openssl-engine-0.9.6h.patch.gz Description: GNU Zip compressed data
[PATCH] pkcs#11 engine patch for openssl-0.9.7
This patch implements a generic pkcs#11 engine in openssl-0.9.7. Applying this patch to openssl-0.9.7 allows applicatioto use the security functions provided by a cryptographic card supporting the PKCS#11 interface. This release permits to use the key storage in secure memory and acceleration of RSA and random functions by the crypto hardware. (TODO: acceleration of DSA, DH EVP functions by the hardware) The present architecture of openssl does not allow to create the RSA keys using an engine. The hypothesis adopted is that the RSA keys are introduced in the cryptographic card independently of openssl. By applying the attached patch, this operation can be realized using the PKCS#11 standard function : C_GenerateKeyPair. To be able to use the OpenSSL commands allowing to generate and handle the RSA keys, the PKCS#11 engine introduces an additional function : rsa_generate_key. The PKCS#11 openssl engine identifier is : pkcs11. This patch has been tested in linux windows environment using the Bull Trustway cryptographic hardware. I have used openssl, apache-mod-ssl openca applications to test and validate this patch. [EMAIL PROTECTED] Bull TrustWay RD France trustway-pkcs11-openssl-0.9.7.patch.gz Description: GNU Zip compressed data
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
I have tested the PKCS#11 engine on Linux (linux-elf). It will be very nice to submit your changes and correction for other environments to RT/openssl or if you prefer send them diectly to me to update the pkcs#11 engine patch. Thanks, Afchine - Original Message - From: via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, December 16, 2002 9:47 AM Subject: [openssl.org #11] Fw: trustway pkcs11 engine for openssl It's so nice that someone provided pkcs11 enginge patch. Thanks a lot, Afchine Madjlessi... However I have one problem while compling openssl 0.9.7 beta5 with this patch on Windows 2000. I just followed the instructions described in intall.w32 from openssl 0.9.7 beta5: 1. perl Configure VC-WIN32= OK 2. ms\do_ms = WARNING D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5perl util\mkdef.pl 16 libeay 1ms\l ibeay16.def Warning: ENGINE_load_pkcs11 does not have a number assigned D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5perl util\mkdef.pl 32 libeay 1ms\l ibeay32.def Warning: ENGINE_load_pkcs11 does not have a number assigned 3. nmake -f ms\ntdll.mak = ERROR NMAKE : fatal error U1073: don't know how to make '.\crypto\engine\hw_pkcs11.c' Stop. Then I move all the source codes from \crypto\engine\pkcs11 to \crypto\engine\, and execute nmake -f ms\ntdll.mak again.But it still didn't work. cl /Fotmp32dll\hw_pkcs11.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 - DWIN32_LEAN_AND_MEAN -DL_END IAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll - DOPENSSL _NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO - c .\crypto\engine\hw_pkcs11.c hw_pkcs11.c .\crypto\engine\hw_pkcs11.c(13) : fatal error C1083: Cannot open include file: ' unistd.h': No such file or directory NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Could anyone fix this problem? Thanks very much... [guest - Fri Dec 13 15:23:00 2002]: Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5 This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the CC2000 Bull TrustWay hardware. If needed, I can provide also the patch to use with mod_ssl and some tools to create and sign certificate requests. In this new release of the pkcs#11 engine, I have added just the rsa_generate_key in the RSA_METHOD. This call permit to generate and put the private key in the crypto hardware. load_private_key and load_public_key engine calls are also added to this engine. All the PKCS#11 function calls are done through C_GetFunctionList. So the engine could be used with different pkcs#11 and token libraries. There is also a possibility to use a remote crypto box. Afchine Madjlessi __ [EMAIL PROTECTED] Bull TrustWay RD http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
I have tested the PKCS#11 engine on Linux (linux-elf). It will be very nice to submit your changes and correction for other environments to RT/openssl or if you prefer send them diectly to me to update the pkcs#11 engine patch. Thanks, Afchine - Original Message - From: via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, December 16, 2002 9:47 AM Subject: [openssl.org #11] Fw: trustway pkcs11 engine for openssl It's so nice that someone provided pkcs11 enginge patch. Thanks a lot, Afchine Madjlessi... However I have one problem while compling openssl 0.9.7 beta5 with this patch on Windows 2000. I just followed the instructions described in intall.w32 from openssl 0.9.7 beta5: 1. perl Configure VC-WIN32= OK 2. ms\do_ms = WARNING D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5perl util\mkdef.pl 16 libeay 1ms\l ibeay16.def Warning: ENGINE_load_pkcs11 does not have a number assigned D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5perl util\mkdef.pl 32 libeay 1ms\l ibeay32.def Warning: ENGINE_load_pkcs11 does not have a number assigned 3. nmake -f ms\ntdll.mak = ERROR NMAKE : fatal error U1073: don't know how to make '.\crypto\engine\hw_pkcs11.c' Stop. Then I move all the source codes from \crypto\engine\pkcs11 to \crypto\engine\, and execute nmake -f ms\ntdll.mak again.But it still didn't work. cl /Fotmp32dll\hw_pkcs11.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 - DWIN32_LEAN_AND_MEAN -DL_END IAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll - DOPENSSL _NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO - c .\crypto\engine\hw_pkcs11.c hw_pkcs11.c .\crypto\engine\hw_pkcs11.c(13) : fatal error C1083: Cannot open include file: ' unistd.h': No such file or directory NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Could anyone fix this problem? Thanks very much... [guest - Fri Dec 13 15:23:00 2002]: Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5 This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the CC2000 Bull TrustWay hardware. If needed, I can provide also the patch to use with mod_ssl and some tools to create and sign certificate requests. In this new release of the pkcs#11 engine, I have added just the rsa_generate_key in the RSA_METHOD. This call permit to generate and put the private key in the crypto hardware. load_private_key and load_public_key engine calls are also added to this engine. All the PKCS#11 function calls are done through C_GetFunctionList. So the engine could be used with different pkcs#11 and token libraries. There is also a possibility to use a remote crypto box. Afchine Madjlessi __ [EMAIL PROTECTED] Bull TrustWay RD http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL PKCS#11 ENGINE
Hi Fred, Frederic DONNAT [EMAIL PROTECTED] wrote: Hi, First of all, thanks for your answer.;) A few question about your PKCS#11 ENGINE. When you say that the stored private key can be load: - do you mean that one can get it from the store? -or do you mean that one can use it through ENGINE method without having real access to the private key? Our PKCS#11 engine uses the right way and secure way (that means the second one) , using the PKCS#11 api through the ENGINE method to access keys. I think the rigth way of using PKCS#11 is the second one (even if PKCS#11 allows to store, generate, ... private key and get there attribute ...) So, you're right, that' the good way! So, is your ENGINE able to get insert the a private key into the store and redirect all computation using this private key directly on the store providing full security for this private key? (without loading it from the store and retransmitting it to the store in the correct function, in a few words as PKCS#11 standard specify it!) That' the case of our PKCS#11 engine. Our engine allows openssl applications and apache-mod_ssl servers i.e to use through a PKCS#11 interface the security functions provided by cryptographic card. RSA keys are inserted using PKCS#11 C_GenerateKeyPair standard function. To be able to use the openssl commands allowing to generate and handle RSA keys, the PKCS#11 engine introduces 4 additionnal entries in the RSA method: rsa_generate_key, i2d_RSAPrivateKey, d2i_RSAPrivateKey d2i_RSAPublicKey. Other RSA methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc, rsa_sign, rsa, rsa_verify) are available. Temporary RSA keys are also created through the application (mod_ssl i.e.) by calling the PKCS#11 engine. Is your ENGINE able to redirect this computation on a smartcard using a PKCS# 11 interface for example? Regards Fred This PKCS#11 engine is tested on the Bull Trystway CC2000 PKCS#11 crypto card, taking advantage of key storage in secure memory and acceleration of RSA and random functions on mutiple OS (Linux, W2K, NT). It also provides the ability to use remote calls through RPC to use a Crypto Box with a PKCS#11 trustway crypto card inside. Cheers Afchine [EMAIL PROTECTED] Bull - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL PKCS#11 ENGINE
Hi, Our PKCS#11 generic engine delivered to openssl provides already RSA_generate_key and is able to store private key in the hardware crypto. It provides also i2d d2i RSA functions to load the stored private keys from the crypto card. These methods are added in RSA_method. This patch is non-intrusive for other engines and no-engine calls. You can find the patch at RT/openssl.org Ticket #11. The last patch is available for openssl-engine.0.9.6g. Best regards Afchine __ [EMAIL PROTECTED] Bull - Trustway RD - Networking Security http://www.servers.bull.com/trustway - Original Message - From: Frederic DONNAT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 11, 2002 3:02 PM Subject: RE: OpenSSL ENGINE, OpenCA MUSCLE Hi Richard, I have a question PKCS#11 ENGINE, etc ... As far as i can see some method like RSA_generate_key() are not available in RSA_Method structure, but RSA key generation can be provide by hardaware even if key is not stored on it (for example). On the other hand, according to PKCS#11 standard if you generate a key pair using a PKCS#11 module you should keep the private one secret (no reading or export available from PKCS#11 module). So i think that some method like RSA_generate_key() should be accessible from RSA_Method. Is there an update planed for this? Regards Fred __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS#11 engines revisited
I've made some improvements in the Bull trustway pkcs#11 engine to be more generic. In this release, PKCS#11 functions are called through the functions list rather than specific calls directly to PKCS#11 functions. So it is possible to point it to any PKCS#11 shared library renamed libpkcs11.so on Linux. A new flag, RSA_FLAG_GEN_KEY is added to RSA_method to allow the use of the additionnal entries (rsa_generate_key, i2d/d2i_RSAPrivate/PublicKey) for crypto cards which can generate and store keys. PKCS#11 engine is added in crypto/engine/pkcs11. In the crypto code, rsagen d2i/i2dRSAPublic/PrivateKey functions can be redirected to the the PKCS11 engine when RSA_FLAG_GEN_KEY is defined by the engine. This PKCS#11 engine identifier is pkcs11 rather than trustway in the last release. I've tested this engine with apache-mod_ssl cc2000 Bull crypto card on Linux. It have been tested also on Win32. Cheers, Afchine Madjlessi __ [EMAIL PROTECTED] Bull - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Update: Bull TrustWay PKCS#11 engine
aSteven A. Bade wrote The 64$ question from my mind is are you working on a 0.9.7 engine for PKCS#11... That's the one of particular interest to me in the long run. of course. afchine __ [EMAIL PROTECTED] Bull - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Update: Bull TrustWay PKCS#11 engine
You can find here the last updates for Trustway PKCS#11 engine.
ChangeLog:
- patch update for openssl-engine-0.9.6d
- patch update for mod_ssl-2.2.10-1.3.26
Work on a generic non-intrusive version of pkcs11 engine implementation for
openssl is in progress.
I will submit it as soon as possible.
Cheers,
Afchine
__
[EMAIL PROTECTED]
Bull Trustway RD - Networking Security
http://www.servers.bull.com/trustway
begin 666 mod_ssl-2.8.10-1.3.26-tw.patch
M9EF9B M=7).(UO9%]SVPM,BXX+C$P+3$N,RXR-B]P:VNW-L8V9G+W-S
M;-F9RYP871C:!M;V1?W-L+3(N.XQ,TQ+C,N,C8M='OMG+G-S;-F
M9R]SVQC9FN%T8V@*+2TM(UO9%]SVPM,BXX+C$P+3$N,RXR-B]P:VN
MW-L8V9G+W-S;-F9RYP871C: E-;VX@2G5N(#(T(#$S.C U.C0Y(#(P,#(*
M*RLK(UO9%]SVPM,BXX+C$P+3$N,RXR-BUT=R]P:VNW-L8V9G+W-S;-F
M9RYP871C: E7960@2G5N(#(V(#$W.C,P.C(T(#(P,#(*0$ @+38Q+#@*S8Q
M+#@0$ *(LC(R @06QL(%-33!C;VYF:6=UF%T:6]N(EN('1H:7,@8V]N
M=5X=!A'!L:65S()O=@@=\*(LC(R @=AE(UA:6X@V5R=F5R(%N
M9!A;P@4U-,+65N86)L960@=FER='5A;!H;W-TRX*(LC(PHM*PHK*U-3
M3$-R7!T;T1E=FEC92!TG5S='=A0H@*R,*(LC( @4V]M92!-24U%+71Y
M5S(9OB!D;W=N;]A9EN9R!#97)T:69I8V%T97,@86YD($-23',*(LC
MD! (TX,2PQ,2 K.#$L,3$@0$ *(LC( @26YT97(M4')O8V5SR!397-S
M:6]N($-A8VAE.@H@*R,@(!#;VYF:6=UF4@=AE(%-33!397-S:6]N($-A
M8VAE.B!:7)S=!T:4@;65C:%N:7-M( H@*R,@(!T;R!UV4@86YD('-E
M8V]N9!T:4@97AP:7)I;F@=EM96]U= H:6X@V5C;VYDRDNBTK(U-3
M3%-EW-I;VY#86-H92 @( @( @;F]N90HK*U-33%-EW-I;VY#86-H92 @
M( @( @;F]N90H@*R-34TQ397-S:6]N0V%C:4@( @( @('-H;6AT.FQO
M9W,OW-L7W-C86-H92@U,3(P,# IB K(U-33%-EW-I;VY#86-H92 @( @
M( @VAM8V(Z;]GR]SVQ?V-A8VAE*#4Q,C P,D*+2M34TQ397-S:6]N
M0V%C:4@( @( @(!D8FTZ;]GR]SVQ?V-A8VAEBTK4U-,4V5SVEO
M;D-A8VAE5EM96]U= @,S PBLK(U-33%-EW-I;VY#86-H92 @( @( @
M(1B;3IL;V=S+W-S;%]S8V%C:4**RLC4U-,4V5SVEO;D-A8VAE5EM96]U
M= @,S PB KB K(R @(%-E;6%P:]R93H*(LC( @0V]N9FEG=7)E('1H
M92!P871H('1O('1H92!M=71U86P@97AC;'5S:6]N('-E;6%P:]R92!T:4*
M0$ @+3$Q-RPW(LQ,3L-R! 0 H@*R,@(!,;V@;5V96QS(%R92 H87-C
M96YD:6YG(]R95R.B!H:6=H97(@;VYER!I;F-L=61E(QO=V5R(]N97,I
M.@H@*R,@(!N;VYE+!EG)OBP@=V%R;BP@:6YF;RP@=')A8V4L(1E8G5G
M+@H@*U-33$QO9R @( @(QO9W,OW-L7V5N9VEN95]L;V*+2M34TQ,;V=,
M979E;!I;F9OBLK4U-,3]G35V96P@;F]N90H@*PH@*SPO269-;V1U;4^
MB KD! (TQ,S0L-R K,3,T+#@0$ *(M397)V97).86UE(YE=RYH;W-T
M+FYA;64*(M397)V97)!9UI;B!Y;W5 6]UBYA91R97-SB K17)R;W),
M;V@;]GR]EG)OE]L;V*+2M4F%NV9EDQO9R!L;V=S+V%C8V5SU]L
M;V**RLC5')A;G-F97),;V@;]GR]A8V-EW-?;]GB KB K(R @(%-3
M3!%;F=I;F4@4W=I=-H.@H@*R,@(!%;F%B;4O1ES86)L92!34TP@9F]R
M('1H:7,@=FER='5A;!H;W-T+@I 0 M,30S+#@*S$T,RPW($! B K(R @
M(%-33!#:7!H97(@4W5I=4ZB K(R @($QIW0@=AE(-IAEG,@=AA
M=!T:4@8VQI96YT(ES('!EFUI='1E9!T;R!N96=O=EA=4NB K(R @
M(%-E92!T:4@;6]D7W-S;!D;V-U;65N=%T:6]N(9OB!A(-O;7!L971E
M(QIW0NBTK4U-,0VEP:5R4W5I=4@04Q,.B%!1$@Z(4584$]25#4V.E)#
M-M24T$Z*TA)1T@Z*TU%1$E533HK3$]7.BM34TQV,CHK15A0.BME3E5,3 HK
M*U-33$-IAEE-U:71E(%)303HK2$E'2#HK345$255-.BM,3UZ*U-33'8R
M.BM%6% Z*V5.54Q,B KB K(R @(%-EG9EB!#97)T:69I8V%T93H*(LC
M( @4]I;G0@4U-,0V5R=EF:6-A=5:6QE(%T($@4$5-(5N8V]D960@
M8V5R=EF:6-A=4N(!)9@I 0 M,C@V+#@@*S(X-BPX($! B K(R @(%!E
MBU397)V97(@3]G9VEN9SH*(LC( @5AE(AO;64@;V8@82!C=7-T;VT@
M4U-,(QO9R!F:6QE+B!5V4@=AIR!W:5N('EO=2!W86YT($*(LC( @
M8V]M%C=!N;VXM97)R;W(@4U-,(QO9V9I;4@;VX@82!V:7)T=6%L(AO
MW0@8F%S:7,NBTK0W5S=]M3]G(QO9W,OW-L7W)E75EW1?;]G(%P*
M+2L@( @( @( @(B5T(5H(5[4U-,7U!23U1/0T],?7@@)7M34TQ?0TE0
M2$52?7@@7(EEPB(5B(@HK*R-#=7-T;VU,;V@;]GR]SVQ?F5Q=65S
M=%]L;V@7 HK*R,@( @( @( @(B5T(5H(5[4U-,7U!23U1/0T],?7@@
M)7M34TQ?0TE02$52?7@@7(EEPB(5B(@H@*PH@*SPO5FER='5A;$AOW0^
M( @( @( @( @( @( @( @( @( @( @( @( H@*PID:69F(UU
MDX@;6]D7W-S;TR+C@N,3 M,2XS+C(V+W!K9RYSVQM;V0O;EBW-L+FUO
M9'5L92!M;V1?W-L+3(N.XQ,TQ+C,N,C8M='OMG+G-S;UO9]L:6)S
MVPN;6]D=6QEBTM+2!M;V1?W-L+3(N.XQ,TQ+C,N,C8OMG+G-S;UO
M9]L:6)SVPN;6]D=6QE5-A=!96(@,C,@,3DZ-#4Z-#4@,C P,@HK*RL@
M;6]D7W-S;TR+C@N,3 M,2XS+C(V+71W+W!K9RYSVQM;V0O;EBW-L+FUO
M9'5L90E7960@2G5N(#(V(#$W.C,Q.C0W(#(P,#(*0$ @+3X+#D@*SX+#D@
M0$ *( @(!M5]O=71F:6QE/2)-86ME9FEL92YC;VYF:6BB @( @;7E?
M')E9FEX/2(@( @( K(@H@( @(UY7W!R969I4](B @( @( BBT@
M( @4U-,7T-3$%'4STG)PHK( @(%-33%]#1DQ!1U,])RUG(U$4U-,7T58
M4$5224U%3E1!3%]%3D=)3D4@+4134TQ?5%)54U1705E?14Y'24Y%)PH@( @
M(%-33%],1$9,04=3/2GBT@( @4U-,7TQ)0E,])R**R @(!34TQ?3$E
M4STG+6QGMCS$Q8V,R,# P)PH@B @( @(R @( H@( @(,@(!F:6YD
M($@F5AV]N86)L92!;W5R;F4@4VAE;P@9F]R('-U8BUS:5L;!C86QL
MPID:69F(UUDX@;6]D7W-S;TR+C@N,3 M,2XS+C(V+W!K9RYSVQM;V0O
M;6]D7W-S;YC(UO9%]SVPM,BXX+C$P+3$N,RXR-BUT=R]P:VNW-L;6]D
M+VUO9%]SVPN8PHM+2T@;6]D7W-S;TR+C@N,3 M,2XS+C(V+W!K9RYSVQM
M;V0O;6]D7W-S;YC5-A=!96(@,C,@,3DZ-#4Z-#4@,C P,@HK*RL@;6]D
M7W-S;TR+C@N,3 M,2XS+C(V+71W+W!K9RYSVQM;V0O;6]D7W-S;YC51H
M=2!*=6X@,C@,3(Z,S8Z,S@@,C P,@I 0 M,C,T+#@*S(S-PQ,2! 0 H@
M( @($Y53$PL( @( @( @( @( @( @( @+RH@6R,Y72!L;V@82!T
MF%NV%C=EO;B @( @( @( @( @*B\*( @(!.54Q,+ @( @( @
M( @( @( @( @(\J(%LC,ET@:5A95R('!AG-EB @( @( @( @
M( @( @(HOB @( @W-L7VEN:71?0VAI;0L( @( @( @( O*B!C
M:EL9%]I;FET( @( @( @( @( @( @( @( @( J+PHK(VEF95F
M(%-33%]44E535%=!65]%3D=)3D4**R @(!SVQ?:6YI=%]#:EL9$MI;PL
M( @( @(\J(-H:6QD7V5X:70@( @( @( @( @( @( @( @( @
M(HOBLC96QS90H@( @($Y53$PL( @( @( @( @( @( @( @+RH@
M8VAI;1?97AI= @( @( @( @( @( @( @( @(
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
Richard Levitte via RT [EMAIL PROTECTED] wrote: 2. Those extra functions in the RSA method, are they really needed? I understand that they provide a lot of automagic things, but then it should be added in the ENGINE framework as something that would be potentially available for any hardware (that supports that extra functionality). Also, when it comes to loading keys, the current modus operandi is to explicitely use the ENGINE key loading functions rather than having some implicit functionality going on. The reason is that we'd prefer not to surprise the users too much. Afchine Madjlessi [EMAIL PROTECTED] wrote The Bull Trustway CC2000 isn't only a cryptographic accelerator card, it is a high level security hardware providing key generation and storage in secure memory. That's why we can't use ENGINE key loading functions. Yes those extra functions are really needed when using this kind of hardware. You can find below a sample to generate and store key pair when using openssl-engine over trustway PKCS#11 card. # # create certificate request, sign it - server certificate # (an RSA key pair is generated) # # 1. making a CA certificate # CA-trustway.sh -newca # openssl req -engine trustway -config ../openssl.cnf \ -new -x509 -keyout ./demoCA/private/cakey.pem \ -out =./demoCA/cacert.pem -days 365 # # 2. create a certificate request # CA-trustway.sh -newreq # openssl req -engine trustway -config ../openssl.cnf -new \ -keyout newkey.pem -out newreq.pem -nodes -days 365 # # 3.create a certificate request # CA-trustway.sh -signreq # openssl ca -engine trustway -config ../openssl.cnf \ -policy policy_anything -out newcert.pem -infiles newreq.pem afchine __ [EMAIL PROTECTED] Bull Technologies - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
Steven Bade [EMAIL PROTECTED] wrote We generate all keys within our tokens Some tokens such as the 4758 keep all the token objects within the secure boundary, and rely on the proper PKCS#11 attributes to control selection, keys generated stay within the FIPS4 boundary. Others which are accelerators, still use the PKCS#11 key generation calls (or object creation functions which could be done with the 4758 as well, but then these objects really can't be marked as NEVER_EXTRACTABLE because their origin is not really known or can be trusted). I don;t remember exactly what the Trustway patch added, but it would be nice to allow for engine specific key generation to be used through the normal key generation paths, as well as allow for normal calls to be used to instantiate the CERT within the PKCS#11 token The trustway patch added is for openssl-engine, so when you're using openssl with -engine trustway argument key generation is done through our PKCS#11 engine, otherwise the normal key generation path is always available and can be used without problem. __ [EMAIL PROTECTED] Bull Technologies - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
Zoran, could you please send me source code of Eracom PKCS11 engine for openssl? regards __[EMAIL PROTECTED]Bull Technologies -Trustway RD - Networking Securityhttp://www.servers.bull.com/trustway - Original Message - From: Zoran Radenkovic With Eracom PKCS11 engine we tried to work in boundaries defined with engine API with minimal impact on openssl core code base. As well we wanted to have "key handling" transparent to application build up on openssl (not need to change source and rebuild application). Problem of key generation is not simple as generate key in a HSM. What if you already have a key approved from CA and want to put in HSM. That if you have key on multiple smart card in multi custodian key-management environment , or you want to generate key but you want to have key components back-up in smart cards, protected by different pins. This is the reason (for time being while openssl come up with it's own model), we decoupled "HSM key" generation from "openssl key" generation. Our user has key generation utility which covers all aspects mentioned above, and openssl utilities are used "to tell" that corresponding keys are stored on HSM. Cheers, Zoran
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
Richard Levitte via RT [EMAIL PROTECTED] writes: I've just started looking at this, and I've got a couple of questions: 1. could this engine be considered a general PKCS#11 engine, or are there specific ties to Trustway. I'd prefer to see a general PKCS#11 engine. This engine is a general PKCS#11 engine. I tested it first with the PKCS#11 library developped by Lutz Behnke (libgpkcs11.so) and its software token (libceay_tok.so). It is possible to make a general PKCS#11 engine and just put specific ties, if any, for multiple hardwares. In Trustway case, the only specific tie is the name of PKCS#11 library to load and some controls added when loading it. Our code depends on gpkcs11 include files (cryptoki.h, pkcs11.h, ...); it is possible to add them to our patch. 2. Those extra functions in the RSA method, are they really needed? I understand that they provide a lot of automagic things, but then it should be added in the ENGINE framework as something that would be potentially available for any hardware (that supports that extra functionality). Also, when it comes to loading keys, the current modus operandi is to explicitely use the ENGINE key loading functions rather than having some implicit functionality going on. The reason is that we'd prefer not to surprise the users too much. The Bull Trustway CC2000 isn't only a cryptographic accelerator card, it is a high level security hardware providing key generation and storage in secure memory. That's why we can't use ENGINE key loading functions. Yes those extra functions are really needed when using this kind of hardware. afchine __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl
Steven Bade [EMAIL PROTECTED] writes: I'm not sure about the second question, but we found that the eracom engine submission was much more generic. When one of my co-workers tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway module there were many issues, as well as specific calls directly to PKCs#11 functions rather than through the function list. If I remember correctly the Eracom submission from last year was much more generic and we had to do nothing except point it to our shared library... No requirements for GKPCS11 headers, no direct function calls... I think that in the case of Eracom card, keys are generated by an external way. Trustway card generates and stores keys, it's the reason of changes in the RSA methods. If needed, I can add the include files in the patch, so it doesn't require to get gpkcs11 headers. afchine __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Update: Bull TrustWay PKCS#11 engine
You can find here the last updates for Trustway PKCS#11 engine. ChangeLog: - add of PKCS#11 free session callback function - add of generate RSA temp keys callback function - logging PKCS#11 error codes These patches applies to openssl-engine-0.9.6c and mod_ssl-2.2.8-1.3.24. Afchine __ [EMAIL PROTECTED] Bull Trustway RD - Networking Security http://www.servers.bull.com/trustway mod_ssl-2.8.8-1.3.24-tw.patch Description: Binary data openssl-engine-0.9.6c-tw.patch Description: Binary data
pkcs11 engine for openssl
Based on openssl-engine-0.9.6c, we have developed a new engine which allowsopenssl applications and Apache-mod_ssl servers to use through a PKCS#11interface the security functions provided by the Bull trustway cc2000 cryptographiccard, taking advantage of key storage in secure memory and acceleration ofRSA and random functions.RSA keys are introduced using PKCS#11 C_GenerateKeyPair standard function.To be able to use the openssl commands allowing to generate and handle RSAkeys, the trustway engine introduces 4 additionnal entries in the RSA method: - rsa_generate_key - i2d_RSAPrivateKey - d2i_RSAPrivateKey - d2i_RSAPublicKeyOther RSA methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc,rsa_sign, rsa, rsa_verify) are available.The Trustway (PKCS#11) engine identifier is "trustway".The server certificate must be created as using the trustway engine, inorder to generate the corresponding RSA key pair directly in the cryptocard. These keys are CKA_TOKEN (permanent). A modified version ofopenssl CA.sh, "CA-trustway.sh" does that.Temporary RSA keys are created through the application (mod_ssl i.e.) bycalling the trustway engine. Obviously, these keys are CKA_SESSION(temporary). As they are session objects, they are destroyed when thePKCS#11 session is closed when the process terminates.The functions which initialize and terminate the engine library take chargeof loading and unloading the PKCS#11 shared library. Ours is based on"gpkcs11".PKCS#11 C_Initialize function is called just once.For a given process, each RSA cryptographic operation carried out by theengine uses the same PKCS#11 session.Two patch files openssl-engine-0.9.6c-tw.patch andmod_ssl-2.8.8-1.3.24-tw.patch are provided to be applied to openssl-engineand modssl. The new engine code is in the file "hw_trustway.c". Someinstallation, and configuration procedures are also provided in our release.This development is tested on a Linux machine with a cc2000 cryptoaccelerator which increases raw server throughput to 400 requests persecond.Afchine__[EMAIL PROTECTED]Bull Trustway RD - Networking Securityhttp://www.servers.bull.com/trustway__OpenSSL Project http://www.openssl.orgDevelopment Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] mod_ssl-2.8.8-1.3.24-tw.patch Description: Binary data openssl-engine-0.9.6c-tw.patch Description: Binary data
GenerateKey in engine RSA method
Hello everybody, We are implementing an new engine (based on openssl 0.9.6c) to use the RSA PKCS11 interface of our crypto hardware (Bull Trustway CC2000). We would like to access our C_GenerateKeyPair PKCS11 function through the openssl RSA_generate_key. So we are adding a new entry gen_key in the RSA method to call our trustway engine to do that. That way the genrsa command will call the hardware to generate rsa public/private key pair. Is it the good way? If yes, do you plan to add this functionality in the 0.9.7 release. Thanks and Regards afchine Bull Trustway R D [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
