On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang <weizhongqi...@gmail.com> wrote: > hi Alon, > Sorry that I make you be confused. > > On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote: > >> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang <weizhongqi...@gmail.com> >> wrote: >>>> OpenSSL is fully compatible with this approach, having RSA object that >>>> can be used for crypto operation without actually having the private >>>> key. This is done via the concept of "engine" which delegate the >>>> crypto calls to the hardware device. >>> >>> Should I installed the "engine_pkcs11" to get the nss softoken work? >>> >> >> Hmmm..... What EXACTLY are you trying to do? > > I need to use the credential in smart card to generate a proxy credential > (which will not be inside the softoken) for the use case of Grid computing. > (see RFC 3820 for the definition of proxy certificate) > The current solution in Grid use case is that: the EEC credential is located > as two files (e.g., usercert.pem, userkey.pem). We need to replace it because > the smart card storage provide more security. > > Now we choose nss softoken rather than hardware smart card, because of two > reasons: > 1, in the development stage, we would choose nss softoken, because it provide > the same interface as hardware device. > 2, in the applications other than Grid, such as web applications, nss > softoken is more general to be used. So we would like users switch from > existing web applications to Grid, without the need to manage the two files: > usercert.pem and userkey.pem > > >> Why do you use the NSS soft token and access it via OpenSSL? > > Our current code (such as the proxy credential generation, TLS communication, > etc.) is based on OpenSSL. So for the purpose of minimizing the development > effort, we still need to use OpenSSL. > The reason why I asked how to retrieve private key out, is because with the > X509 and private key out, I can reuse the current code to generating proxy > certificate. > >> Either stick with NSS or use OpenSSL. >> Where is the hardware device? > > There is no hardware currently. But I thought if my code can contact with nss > softoken, it can also contact with hardware device, because of the pkcs11 > standard. > > >> Which component's PKCS#11 are you trying to access? > > Currently only nss softoken. > > Thanks > Weizhong Qiang > >> >>>> Try to perform private key operation using the RSA object and see that it >>>> works. >>> >>> Do you mean that I should use RSA_sign instead of X509_sign? >>> >> >> Again, >> I am totally confused from the partial information you present. >> So I cannot know what is best for you, and even why you are using >> pkcs11-helper, as if I understand correctly you do not have hardware >> device at all. >> >> Alon. > >
OK, so now I understand. So you have standard OpenSSL application that uses X509, RSA for TLS. And you get these from pkcs11-helper, so what exactly is your problem? it should work. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
