What I want to do is store my SSL server keys on a smart card so that if someone roots the box they can't have them - the worst they could do is continue to use them for nefarious ends, but they'd have to use them in place.
I want to do this on FreeBSD. To that end, I think I have most of the pieces necessary - I have a JCOP 41 72K card, a reader, and have loaded the muscle applet onto the card. One thing that concerns me is this: OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so>> (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine [ available ] OpenSSL> rsa -engine pkcs11 -inform engine -in id_45 -text engine "pkcs11" set. PKCS#11 token PIN: Modulus (1024 bit): (blah blah blah) Exponent: 65537 (0x10001) writing RSA key -----BEGIN RSA PRIVATE KEY----- (blah blah blah) -----END RSA PRIVATE KEY----- WTF? I thought the whole point was that you weren't supposed to be able to get your mits on the private key! Being able to get the key out makes the whole exercise moot - it's no better than unix filesystem permissions. I did: pkcs15-init -EC --no-so-pin pkcs15-init --store-pin -auth-id 01 --label "user" pkcs15-init --generate-key rsa/1024 --auth-id 01 and then ran the openssl commands above. What am I doing wrong? _______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle