> On Fri, 28 Sep 2007, Mark Andrews wrote:
>
> > Before reinventing the wheel, by adding support to do this,
> > I'd like to find out if anyone has code to do so.
>
> Mark, I have a working code for this, I can update the patch (btw.
> the last version is from 09/26). We expect that it's not a final version;
> working with private/public RSA keys works now. I'm now using very simple
> "pkcs11:LABEL" of filename overloading but it will be changed to a more
> generic approach discussed in pkcs#11 mailing list.
Yes, thanks I would like to see that.
> > I'm looking for RSA support initially.
>
> that's the one that's relatively easy since that's part of engine
> API. Symetric keys and DSA might be possible, if at all, at cost of nasty
> hacks.
>
> > From what I can see you would use RSA_set_ex_data()/
> > RSA_get_ex_data() to store the handle on the RSA key
> > and set RSA_FLAG_EXT_PKEY to indicate that there is a
> > private key rather than the presence of RSA->d.
>
> you use the object handle anyway, you just fill the RSA structure
> from what you get from the keystore.
How do you cope with keys for which you can't retrieve the
private exponent from the HSM?
I'm trying to add hardware acceleration to our DNSSEC (RFC
403[345]) implementation and need to support such keys.
This is for both validation and signing/re-signing authoritative
records (the later needs to support keys that are stored
in the HSM). We are using a SCA 6000 card at the moment.
What you have now works well enough for validation.
Mark
> Jan.
>
> --
> Jan Pechanec
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
