hi Alon, Sorry that I make you be confused. On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote:
> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang <weizhongqi...@gmail.com> > wrote: >>> OpenSSL is fully compatible with this approach, having RSA object that >>> can be used for crypto operation without actually having the private >>> key. This is done via the concept of "engine" which delegate the >>> crypto calls to the hardware device. >> >> Should I installed the "engine_pkcs11" to get the nss softoken work? >> > > Hmmm..... What EXACTLY are you trying to do? I need to use the credential in smart card to generate a proxy credential (which will not be inside the softoken) for the use case of Grid computing. (see RFC 3820 for the definition of proxy certificate) The current solution in Grid use case is that: the EEC credential is located as two files (e.g., usercert.pem, userkey.pem). We need to replace it because the smart card storage provide more security. Now we choose nss softoken rather than hardware smart card, because of two reasons: 1, in the development stage, we would choose nss softoken, because it provide the same interface as hardware device. 2, in the applications other than Grid, such as web applications, nss softoken is more general to be used. So we would like users switch from existing web applications to Grid, without the need to manage the two files: usercert.pem and userkey.pem > Why do you use the NSS soft token and access it via OpenSSL? Our current code (such as the proxy credential generation, TLS communication, etc.) is based on OpenSSL. So for the purpose of minimizing the development effort, we still need to use OpenSSL. The reason why I asked how to retrieve private key out, is because with the X509 and private key out, I can reuse the current code to generating proxy certificate. > Either stick with NSS or use OpenSSL. > Where is the hardware device? There is no hardware currently. But I thought if my code can contact with nss softoken, it can also contact with hardware device, because of the pkcs11 standard. > Which component's PKCS#11 are you trying to access? Currently only nss softoken. Thanks Weizhong Qiang > >>> Try to perform private key operation using the RSA object and see that it >>> works. >> >> Do you mean that I should use RSA_sign instead of X509_sign? >> > > Again, > I am totally confused from the partial information you present. > So I cannot know what is best for you, and even why you are using > pkcs11-helper, as if I understand correctly you do not have hardware > device at all. > > Alon. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
