On 2010/03/03 19:21, Jan Pechanec wrote: > On Wed, 3 Mar 2010, Nikolay Elenkov wrote:
>> I finally see now. I had something similar in mind, and is already >> implemented >> :). The thing is the BIND version has none of this code (persistent flag >> checking). It also doesn't support key-by-ref. If I could find what is the >> original Solaris patch it is based on, thins would be much easier. There is >> an >> OLD-PKCS11-NOTES file in the BIND distribution, which says this: >> >>> The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, >>> released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by >>> reference >>> and some improvements, including user friendly PIN management. You may also >>> use the original engine code. >> >> In that case its rather old/forked... > > I "released" all engine patches through my blog so if you needed > the engine code for 0.9.8i, please check my blog, it's there. > Thanks, will do. Just for completeness, here's the answer I got on bind-users: >> > What version of the original OpenSolaris patch is the openssl-0.9.8l-patch >> > in >> > the 9.7.0 tarball based on? > 2009-03-11. > > More specificaly, pkcs11_engine-0.9.8j.patch.2009-03-11, applied to 0.9.8k > as explained in http://blogs.sun.com/janp/entry/pkcs_11_engine_patch_for1. > >> > What has been changed/added? > Principally: > > 1) ability to access key by reference > 2) (relatively) user-friendly PIN management > 3) ported to WIN32 > 4) separate "crypto-accelerator" and "sign-only" engines (see the 9.7.0 > Administrator's Reference Manual, section 4.11, for details)
