On Wed, 3 Mar 2010, Nikolay Elenkov wrote:
>>> I fail to see how key-by-ref addresses this. Key-by-ref just specifies the
>>> string you pass to OpenSSL and how to derive the actual slot/label from it.
>>> Once the key is loaded it's just a handle and calling C_DestroyObject on it
>>> will
>>> destroy the key.
>>
>> Simply by not calling C_Destroy() on persistent objects. See the sources
>> of pk11_destroy_object() and how pk11_load_privkey() works with the flag
>> in PK11_SESSION structure.
>>
>
>I finally see now. I had something similar in mind, and is already implemented
>:). The thing is the BIND version has none of this code (persistent flag
>checking). It also doesn't support key-by-ref. If I could find what is the
>original Solaris patch it is based on, thins would be much easier. There is an
>OLD-PKCS11-NOTES file in the BIND distribution, which says this:
>
>> The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
>> released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by
>> reference
>> and some improvements, including user friendly PIN management. You may also
>> use the original engine code.
>
>In that case its rather old/forked...
I "released" all engine patches through my blog so if you needed
the engine code for 0.9.8i, please check my blog, it's there.
J.
--
Jan Pechanec
http://blogs.sun.com/janp
