There has been a effort to be able to build OpenSC without the use of OpenSSL. Yet there is newer code that keeps creeping in to the trunk that requires OpenSSL.
The OpenSSL dependent code can be divided into 3 areas: (1) Code that tries to get some information from a certificate, such as the public key, or the basic constraints. For example sc_pkcs15_pubkey_from_cert in pkcs15-pubkey.c Much of this code appears to have been added because parse_x509_cert in pkcs15-cert.c does not do a good enough job in supporting more then RSA, and does not parse options like basic constraint that one card driver needs. (2) Code that deals with symmetric keys for example in, pkcs15-wrap.c It is not clear if the project wants to add native crypto to OpenSC code or continue to use OpenSSL, or some other package. (The gost code appears to introduce a dependency on the gost external engine, to do its crypto.) Any Secure Messaging or some card initialization that needs to authenticate to the card, needs this. (3) Old code that is not being used. p15card-helper.c for example in not used at all. It was introduced by a third party for use with the PIV card, but is no longer used, and in my option could be removed. I bring this up as I am interested in adding ECC support (with named curves only) to OpenSC for the PIV card. No ECC crypto needs to be done, but support for getting the EC pubkey from a cert and saving a pubkey generated by the card is needed. (As an attempt to not require OpenSSL, last week I committed changes that allowed the PIV driver to be built without OpenSSL. OpenSSL is still needed for card administration, as a 3DES Decrypt is still needed. But the administration code and piv-tool are not used by the ordinary users. This type of code falls into (2)) So what is the direction? (A) Continue to use OpenSSL but only in the most limited cases? (B) Try and stamp it out, but this would then require adding some crypto for symmetric keys and maybe other hash functions? (C) Embrace it, and use its crypto, key and cert structures and simplify OpenSC code? (D) Use some other crypto package? -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel