Martin Paljak wrote: > Hello, > > On Sep 15, 2010, at 11:08 AM, Viktor TARASOV wrote: > >> Andreas Jellinghaus wrote: >> >>> I got very bad results with OpenSSL 1.0.0 (and 1.0.0a) on Windows in Server >>> Environment: stability issues that couldn't be tracked down. The same code >>> works well with 0.9.8o. >>> >>> So maybe you too want to go back to the last 0.9.8* release, until OpenSSL >>> releases a stable 1.0.* version? >>> >>> (I saw the changes for the build project using openssl 1.0.0a now...) >>> >>> >> Not quite related to the topic. >> >> Afaiu, in OpenSSL 1.0.0 it's possible to generate the RSA key with an >> engine using the command line tools, >> there is no such possibility in the 0.9.x versions. >> > OpenSSL 1.0.0 had some ASM optimization problems [1] (which, of course, is > enabled by all distro packages). For seldom-happening single operations > (verification, decryption, digest calculation) I think the instability > problem is not that apparent. Also, the heavyweight operation is always > happening on a quite slow smart card, we don't need to enable any ASM > optimizations (need to check how OpenSSL is built with mingw) > > > >> From your point of view, is it worth to implement the 'key_gen' >> facility in OpenSC engine_pkcs11 & libp11 ? >> > Why not. > > At the same time I don't think OpenSSL is used that much for generic key > management (Yet Another OpenSSL CA script-fu does not count) and enrollment, > or if it is best tool for this. > Key generation, even if generated for short periods and re-generated often, > is a quite special use case. Key generation, CSR generation and certificate > generation in a single application in one go is IMHO not a good idea nor a > often used feature. > > > >> The same about implementing the engine's 'store_meth'. >> Afaiu, in this case OpenSSL can be used to list/store/delete >> certificates, data, ... on the card, and probably more. >> (For a moment I do not see how to access the engine's 'store' with the >> OpenSSL tools.) >> > Last time I checked (about a year ago?) the store interface was not complete. > But it would be a nice thing to have and change the current engine control to > the generic store interface. > >> I have in mind the unique family of tools to perform all card enrollment >> operations. >> (Actually, when doing decentralized enrollment: >> key is generated with OpenSC, P10 is signed with OpenSSL, certificate is >> imported with OpenSC.) >> > > I think OpenSSL support is important to the level that OpenSSL based > applications can access keys (and certificates) on the card (or in any other > PKCS#11 hardware) and most importantly, can use the keys for SSL/TLS, what > should be the main purpose of OpenSSL. > > It would not hurt to have engine_pkcs11 as full-featured as possible, but I > would not promote OpenSSL [2] as "the API" for smart card personalization or > hardware key generation. > > [1] http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/sc.c#L696 > [2] http://www.peereboom.us/assl/assl/html/openssl.html >
Thanks, I see. This question was because of suddenly discovered evidence: without intermediary of NSS the tools from different families are needed to perform card enrollment. -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
