On 2010/03/03 17:24, Vladimir Kotal wrote: > On 03/ 3/10 03:24 AM, Nikolay Elenkov wrote: > > <snip> > >> I fail to see how key-by-ref addresses this. Key-by-ref just specifies the >> string you pass to OpenSSL and how to derive the actual slot/label from it. >> Once the key is loaded it's just a handle and calling C_DestroyObject on it >> will >> destroy the key. > > Simply by not calling C_Destroy() on persistent objects. See the sources > of pk11_destroy_object() and how pk11_load_privkey() works with the flag > in PK11_SESSION structure. >
I finally see now. I had something similar in mind, and is already implemented :). The thing is the BIND version has none of this code (persistent flag checking). It also doesn't support key-by-ref. If I could find what is the original Solaris patch it is based on, thins would be much easier. There is an OLD-PKCS11-NOTES file in the BIND distribution, which says this: > The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, > released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference > and some improvements, including user friendly PIN management. You may also > use the original engine code. In that case its rather old/forked... > > Could you post the reference to the source of this engine ? Is it the > one in the contrib/pkcs11-keygen/openssl-0.9.8g-patch file from sources > of bind-9.6.2 ? If yes, then it's probably important to realize that the > previous claims about threading support are only relevant to the latest > engine version in OpenSolaris/Solaris. The ISC version has the dreaded > cache poisoning design problem/bug and will corrupt data in thread > environment. I am using 9.7.0, so the source is in bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch. How do I check if it has the cache poisoning bug? Multiple threads is a requirement in order to get decent throughput from the HSM, so if it is not usable, this would be a showstopper.
