Hi, I have written this patch to be used with a hardware Crypto PKCS#11 accelerator which can store keys. It is used in my company in TrustWay SSL accelerator and, TrustWay Apache-SSL accelerator with the Bull PCI CC2000 HSM. Our HSM doesn't require C_Login. I believe that call to C_Login is mandatory on a smartcard. In this case you must add it in the code. Gilad Finkelstein is working on it and I think that he will submit some changes for smartcard use. About the handling of keys: I have added a new entry (RSA_generate_key) in the RSA_METHOD to enable key generation in openssl. In the standard method (0.9.6-engine and 0.9.7) we are able to load keys (load_public_key and load_private_key) but it is supposed that the key is generated and stored outside openssl. In the Bull TrustWay patch rsa_generate_key call PKCS#11 C_GenerateKeyPair, to generate a key pair in the HSM. While the private key leave stored in the HSM, the public key is stored in a pem file on the disk. In standard mode you have the private key in this file. The modulus and exponent of the public key stored in the pem file permits to find the private key. I join the shell script used to generate CA and server certificates and also the patch to apply to mod_ssl if you want to use apache-mod_ssl with openssl-pkcs#11 libcrypto. Regards Afchine ______________________________________ [EMAIL PROTECTED] Bull TrustWay R&D http://www.trustway.bull.com
----- Original Message ----- From: "Reinhard Moosauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 26, 2003 8:48 AM Subject: HOWTO for pkcs11 patch? > Hello List, > > trustway's pkcs11-patch came with basically no info about it's usage. > Especially the handling of stored keys on the smartcard is obscure. > (openssl normally can only deal with files) > > req -newkey .. seems to work, but the key is not written to the card > > Please, please can anybody give some examples? > > TIA > > kind regards, > > Reinhard > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED]
CA-pkcs11.sh
Description: Binary data
tw-mod_ssl-2.8.14-1.3.27.patch
Description: Binary data
