Hello, Our OCSP Responder is based on Apache's mod_ssl and uses openssl libraries to perform crypto operations (i.e. signing the Responses). These days I've been trying to implement HSM support with the PKCS11 DLL provided by the crypto device manufacturer (Spain's RealSec). When searching PKCS11 engine's implementations for openssl I found OpenSC project and their engine_pkcs11 libraries, so I began testing with the OpenSSL's command line like this: *Engine preparation (form openssl environment): engine -t dynamic -pre SO_PATH:D:\openssl-0.9.8c\out32dll\engine_pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:D:\openssl-0.9.8c\out32dll\rsecpk11.dll
*OCSP client with signed Request (same mechanism is used by the OCSP Server when sending a signed Response): ocsp -host ocsp.camerfirma.com:80 -path http://ocsp.camerfirma.com/ocsp -issuer Camerfirma-RootSinPoderes.pem -serial 0x00C20FA62E42F03643257115AED64383 -nonce -CAfile VA-root.pem -VAfile CACamerfirma-ocspSign.pem -signkey jluna.cve -signer jluna.cer -reqout hsm_ocsp_req.txt -respout hsm_ocsp.txt -req_text -engine pkcs11 *Error message: Error signing OCSP request 1640:error:80009404:Vendor defined:PKCS11_rsa_encrypt:Not supported:p11_ops.c:107: 1640:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:.\crypto\asn1\a_sign.c:276: error in ocsp I've tried also with a SmartCard and the opensc-pkcs11.dll module, but the error is still the same. When taking a look at the code and the Open Tickets at OpenSC's I found that this is fact is an open issue just as stated in my previous email. Thanks in advance for your help, ____________________ Jesus Luna Garcia CertiVeR Developer Barcelona, Spain [EMAIL PROTECTED] > -----Mensaje original----- > De: Nils Larsch [mailto:[EMAIL PROTECTED] > Enviado el: viernes, 10 de noviembre de 2006 21:59 > Para: Jesus Luna > CC: opensc-devel@lists.opensc-project.org; 'Oscar Manso' > Asunto: Re: [opensc-devel] Using engine_pkcs11 with openssl for OCSP > > Jesus Luna wrote: > > Dear all, > > I'm trying to add HSM support to our OCSP Responder by integrating > > engine_pkcs11 with openssl to it, however in our tests we > have found > > that RSA Signature operations are not implemented > > Do you mean: signing ocsp responses with openssl (the command > line tool ?) doesn't work with our pkcs11 engine ? > > Cheers, > Nils > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
