On 04/21/2010 02:25 PM, Jan Just Keijser wrote: > Hi Andreas, > > >> or send patches for libp11/engine_pkcs11 to handle gost. >> (no idea how much work that would be - I'm quite clueless >> over there. also gost engine might be much better than the >> simple and hacky engine_pkcs11). >> >> but maybe I missed something in the discussion or got some >> parts wrong? please don't let me stay stupid :-) >> > the problem is quite subtle: > - some applications load engine_pkcs11 and/or opensc-pkcs11 but they > themselves do not use openssl > - to use the gost algorithms inside of engine_pkcs11 the openssl gost > engine (an external .so file) needs to be loaded. > So is gost calling the openssl engine or high-level code to do it's operations? If so that seems like a layer violation, since the PKCS #11 interface could be called from the openssl_engine.
We have the same situation in NSS. PKCS #11 modules written with ckbi that need to do crypto (and do not supply their own implementation) can not call the NSS PK11_XXXX interface that applications are expected to use. Instead the PKCS #11 modules needs to call the freebl layer used by the NSS softoken. I believe openssl has the eqivalent (though I don't know if that layer is in it's own shared library, are is exported by openssl). bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
