On Thu, Nov 16, 2006 at 01:32:43PM +0100, Jesus Luna wrote: > This HSM in particular (RealSec's CryptoSec at > http://www.realsec.com/esp/servicios/cifrado.html) does not store > private keys, it's only a crypto-accelerator.
I don't speak spanish but from the datasheet it looks to me like a tamper-resistant generic computing platform. ARM7TDMI with RSA and DES co-processors and 128Kb memory that is erased on intrusion. A PKCS#11 token contains the key, as previously stated. This product could certainly be a very powerful PKCS#11 token but it depends on what software the ARM7 is running. I assume whoever buys the Cryptosec can decide for themselves what it should run and possibly also develop their own code for it. > I've begun analyzing the pkcs11_engine's code and so far I see that > in file p11_ops.c (from underlying libp11 project) does not > implement the PKCS11_private_encrypt function. Even though it > implements a PKCS11_sign function, my belief is that OpenSSL's RSA > signature callout directly invokes the hash/encrypt methods, so the > error code when executing the signed OCSP Request. Note that the > same may be happening when executing OpenSSL's 'rsautl' which is > the ticket still open at OpenSC project. You are probably right. Although it seems that PKCS#11 is a poor fit for your application we would of course gladly accept a patch fixing the problem in libp11. :) Perhaps the best solution is to write an OpenSSL engine that uses the Cryptosec for RSA? In that case engine_pkcs11 could be useful for reference. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
