On 03/ 1/10 08:15 AM, Nikolay Elenkov wrote: > Hi, Hi Nikolay,
> I've been looking at the PKCS#11 engine and evaluating if we can use it with a > specific HSM. It (mostly) works, but I've some questions about the code. I > hope > this is the right place to ask. I am using openssl-0.9.8l. Here goes. Sort of, crypto-discuss might be better place to ask this sort of questions. Are you using the patch or the libraries supplied with OpenSolaris ? Could you be more specific about the HSM ? > Q1: Does the engine support being used from multiple threads? I've been > looking Yes. > at the C_Initialize calls, and all of them pass NULL_PTR as a parameter. That, > according to the PKCS#11 spec, means: > > "The application ... will not be accessing the library concurrently from > multiple threads, and so the library need not worry about performing any > type of locking for the sake of thread-safety." > > So I guess we are not supposed to call it from multiple threads, is this > correct? If we wanted to add multithread support, will supplying the right No. OpenSSL PKCS#11 engine works with threads just fine. > parameters to C_Initialize be enough? It does seem to work, but is any > additional locking required? As far as I can see, there is some locking for > the > engine's internal structures, so it should be OK, but still a confirmation > would > be great. PKCS#11 engine does not supply its own primitives, that's all. > Q2: Why does the engine call C_Destroy object on finalization? If I am reading To prevent memory leaks. > the code right, it tries to destroy public/private key objects, which is not > generally a good idea. Those are usually token objects, probably generated > from > another application, so they should be left as is, I think. Am I missing > something or is there a reason for this? I've traced this cal sequence which > (occasionally?) results in private keys being deleted from our HSM. If I > comment > out the destroy_rsa_key_objects call, keys are not deleted. > > pk_11_finish->pk11_free_all_sessions->destroy_rsa_key_objects-> > pk11_destroy_rsa_object_pub|priv You might want to use the PKCS#11 URI and key-by-reference handling for accessing tokens. See http://arc.opensolaris.org/caselog/PSARC/2009/555/ for details. > Q3: Is there a way to completely disable the automatic slot selection? > (without Currently no. > re-writing the code, of course). The 'SLOT' command seems like the way to go, Which command are you referring to ? > but it doesn't quite work. It sets the SLOTID global to the integer specified, > but that is only used for OP_CIPHER/DIGEST, and I want to use it for all > operations (OP_RSA/OP_RAND). Another thing is that the SLOTID is not > necessarily > an integer, it might be a handle (it is with the HSM we are testing). AFAIK CK_SLOT_ID is always integer type. v.
