Hello, On Sep 15, 2010, at 11:08 AM, Viktor TARASOV wrote: > Andreas Jellinghaus wrote: >> I got very bad results with OpenSSL 1.0.0 (and 1.0.0a) on Windows in Server >> Environment: stability issues that couldn't be tracked down. The same code >> works well with 0.9.8o. >> >> So maybe you too want to go back to the last 0.9.8* release, until OpenSSL >> releases a stable 1.0.* version? >> >> (I saw the changes for the build project using openssl 1.0.0a now...) >> > Not quite related to the topic. > > Afaiu, in OpenSSL 1.0.0 it's possible to generate the RSA key with an > engine using the command line tools, > there is no such possibility in the 0.9.x versions. OpenSSL 1.0.0 had some ASM optimization problems [1] (which, of course, is enabled by all distro packages). For seldom-happening single operations (verification, decryption, digest calculation) I think the instability problem is not that apparent. Also, the heavyweight operation is always happening on a quite slow smart card, we don't need to enable any ASM optimizations (need to check how OpenSSL is built with mingw)
> From your point of view, is it worth to implement the 'key_gen' > facility in OpenSC engine_pkcs11 & libp11 ? Why not. At the same time I don't think OpenSSL is used that much for generic key management (Yet Another OpenSSL CA script-fu does not count) and enrollment, or if it is best tool for this. Key generation, even if generated for short periods and re-generated often, is a quite special use case. Key generation, CSR generation and certificate generation in a single application in one go is IMHO not a good idea nor a often used feature. > The same about implementing the engine's 'store_meth'. > Afaiu, in this case OpenSSL can be used to list/store/delete > certificates, data, ... on the card, and probably more. > (For a moment I do not see how to access the engine's 'store' with the > OpenSSL tools.) Last time I checked (about a year ago?) the store interface was not complete. But it would be a nice thing to have and change the current engine control to the generic store interface. > I have in mind the unique family of tools to perform all card enrollment > operations. > (Actually, when doing decentralized enrollment: > key is generated with OpenSC, P10 is signed with OpenSSL, certificate is > imported with OpenSC.) I think OpenSSL support is important to the level that OpenSSL based applications can access keys (and certificates) on the card (or in any other PKCS#11 hardware) and most importantly, can use the keys for SSL/TLS, what should be the main purpose of OpenSSL. It would not hurt to have engine_pkcs11 as full-featured as possible, but I would not promote OpenSSL [2] as "the API" for smart card personalization or hardware key generation. [1] http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/sc.c#L696 [2] http://www.peereboom.us/assl/assl/html/openssl.html -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
