Alon Bar-Lev wrote: > On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang <weizhongqi...@gmail.com> > wrote: > >> hi Alon, >> Sorry that I make you be confused. >> >> On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote: >> >> >>> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang <weizhongqi...@gmail.com> >>> wrote: >>> >>>>> OpenSSL is fully compatible with this approach, having RSA object that >>>>> can be used for crypto operation without actually having the private >>>>> key. This is done via the concept of "engine" which delegate the >>>>> crypto calls to the hardware device. >>>>> >>>> Should I installed the "engine_pkcs11" to get the nss softoken work? >>>> >>>> >>> Hmmm..... What EXACTLY are you trying to do? >>> >> I need to use the credential in smart card to generate a proxy credential >> (which will not be inside the softoken) for the use case of Grid computing. >> (see RFC 3820 for the definition of proxy certificate) >> The current solution in Grid use case is that: the EEC credential is located >> as two files (e.g., usercert.pem, userkey.pem). We need to replace it >> because the smart card storage provide more security. >> >> Now we choose nss softoken rather than hardware smart card, because of two >> reasons: >> 1, in the development stage, we would choose nss softoken, because it >> provide the same interface as hardware device. >> 2, in the applications other than Grid, such as web applications, nss >> softoken is more general to be used. So we would like users switch from >> existing web applications to Grid, without the need to manage the two files: >> usercert.pem and userkey.pem >> >> >> >>> Why do you use the NSS soft token and access it via OpenSSL? >>> >> Our current code (such as the proxy credential generation, TLS >> communication, etc.) is based on OpenSSL. So for the purpose of minimizing >> the development effort, we still need to use OpenSSL. >> The reason why I asked how to retrieve private key out, is because with the >> X509 and private key out, I can reuse the current code to generating proxy >> certificate. >> >> >>> Either stick with NSS or use OpenSSL. >>> Where is the hardware device? >>> >> There is no hardware currently. But I thought if my code can contact with >> nss softoken, it can also contact with hardware device, because of the >> pkcs11 standard. >> >> >> >>> Which component's PKCS#11 are you trying to access? >>> >> Currently only nss softoken. >> >> Thanks >> Weizhong Qiang >> >> >>>>> Try to perform private key operation using the RSA object and see that it >>>>> works. >>>>> >>>> Do you mean that I should use RSA_sign instead of X509_sign? >>>> >>>> >>> Again, >>> I am totally confused from the partial information you present. >>> So I cannot know what is best for you, and even why you are using >>> pkcs11-helper, as if I understand correctly you do not have hardware >>> device at all. >>> >>> Alon. >>> >> > > OK, so now I understand. > So you have standard OpenSSL application that uses X509, RSA for TLS. > And you get these from pkcs11-helper, so what exactly is your problem? > it should work. > _______________________________________________ > >
actually, the problem is that an nss softtoken is not a fully 100% compliant PKCS11 device - see https://lists.strongswan.org/pipermail/users/2007-July/001900.html for details. I've been looking into the same issue a few years back but never decided to modify the pkcs11-helper code to support the nss softtokens. cheers, JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
