[opensc-devel] OpenSC with or without OpenSSL - What is the direction?

Mon, 27 Sep 2010 13:58:58 -0700 

There has been a effort to be able to build OpenSC without the use
of OpenSSL. Yet there is newer code that keeps creeping in to the
trunk that requires OpenSSL.

The OpenSSL dependent code can be divided into 3 areas:

(1) Code that tries to get some information from a certificate, such
   as the public key, or the basic constraints. For example
   sc_pkcs15_pubkey_from_cert in pkcs15-pubkey.c

   Much of this code appears to have been added because parse_x509_cert
   in pkcs15-cert.c does not do a good enough job in supporting more
   then RSA, and does not parse options like basic constraint that one
   card driver needs.

(2) Code that deals with symmetric keys for example in, pkcs15-wrap.c
   It is not clear if the project wants to add native crypto to OpenSC
   code or continue to use OpenSSL, or some other package. (The gost
   code appears to introduce a dependency on the gost external engine,
   to do its crypto.) Any Secure Messaging or some card initialization
   that needs to authenticate to the card, needs this.

(3) Old code that is not being used. p15card-helper.c for example
   in not used at all. It was introduced by a third party for use
   with the PIV card, but is no longer used, and in my option could
   be removed.

I bring this up as I am interested in adding ECC support (with named
curves only) to OpenSC for the PIV card. No ECC crypto needs to be
done, but support for getting the EC pubkey from a cert and saving
a pubkey generated by the card is needed.

(As an attempt to not require OpenSSL, last week I committed changes
that allowed the PIV driver to be built without OpenSSL. OpenSSL
is still needed for card administration, as a 3DES Decrypt is still
needed. But the administration code and piv-tool are not
used by the ordinary users. This type of code falls into (2))

So what is the direction?

  (A) Continue to use OpenSSL but only in the most limited cases?

  (B) Try and stamp it out, but this would then require adding some
      crypto for symmetric keys and maybe other hash functions?

  (C) Embrace it, and use its crypto, key and cert structures
      and simplify OpenSC code?

  (D) Use some other crypto package?

-- 

  Douglas E. Engert  <[email protected]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to