On Tue, 2 Oct 2007, Mark Andrews wrote:
>> Mark, I have a working code for this, I can update the patch (btw.
>> the last version is from 09/26). We expect that it's not a final version;
>> working with private/public RSA keys works now. I'm now using very simple
>> "pkcs11:LABEL" of filename overloading but it will be changed to a more
>> generic approach discussed in pkcs#11 mailing list.
>
> Yes, thanks I would like to see that.
ok, I'll do it and send an heads-up here.
>> > From what I can see you would use RSA_set_ex_data()/
>> > RSA_get_ex_data() to store the handle on the RSA key
>> > and set RSA_FLAG_EXT_PKEY to indicate that there is a
>> > private key rather than the presence of RSA->d.
>>
>> you use the object handle anyway, you just fill the RSA structure
>> from what you get from the keystore.
>
> How do you cope with keys for which you can't retrieve the
> private exponent from the HSM?
the idea is that the private key never leaves the card. I find the
key by its label, get its attributes and fill RSA structure according to
them. I don't ask private exponent at all.
> I'm trying to add hardware acceleration to our DNSSEC (RFC
> 403[345]) implementation and need to support such keys.
> This is for both validation and signing/re-signing authoritative
> records (the later needs to support keys that are stored
> in the HSM). We are using a SCA 6000 card at the moment.
I think you should be fine with the patch. I hope it will be there
till tomorrow.
Jan.
--
Jan Pechanec
