hi Alon, On Nov 10, 2011, at 2:15 PM, Alon Bar-Lev wrote:
> On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang <weizhongqi...@gmail.com> > wrote: >> hi Alon, >> Sorry that I make you be confused. >> >> On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote: >> >>> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang <weizhongqi...@gmail.com> >>> wrote: >>>>> OpenSSL is fully compatible with this approach, having RSA object that >>>>> can be used for crypto operation without actually having the private >>>>> key. This is done via the concept of "engine" which delegate the >>>>> crypto calls to the hardware device. >>>> >>>> Should I installed the "engine_pkcs11" to get the nss softoken work? >>>> >>> >>> Hmmm..... What EXACTLY are you trying to do? >> >> I need to use the credential in smart card to generate a proxy credential >> (which will not be inside the softoken) for the use case of Grid computing. >> (see RFC 3820 for the definition of proxy certificate) >> The current solution in Grid use case is that: the EEC credential is located >> as two files (e.g., usercert.pem, userkey.pem). We need to replace it >> because the smart card storage provide more security. >> >> Now we choose nss softoken rather than hardware smart card, because of two >> reasons: >> 1, in the development stage, we would choose nss softoken, because it >> provide the same interface as hardware device. >> 2, in the applications other than Grid, such as web applications, nss >> softoken is more general to be used. So we would like users switch from >> existing web applications to Grid, without the need to manage the two files: >> usercert.pem and userkey.pem >> >> >>> Why do you use the NSS soft token and access it via OpenSSL? >> >> Our current code (such as the proxy credential generation, TLS >> communication, etc.) is based on OpenSSL. So for the purpose of minimizing >> the development effort, we still need to use OpenSSL. >> The reason why I asked how to retrieve private key out, is because with the >> X509 and private key out, I can reuse the current code to generating proxy >> certificate. >> >>> Either stick with NSS or use OpenSSL. >>> Where is the hardware device? >> >> There is no hardware currently. But I thought if my code can contact with >> nss softoken, it can also contact with hardware device, because of the >> pkcs11 standard. >> >> >>> Which component's PKCS#11 are you trying to access? >> >> Currently only nss softoken. >> >> Thanks >> Weizhong Qiang >> >>> >>>>> Try to perform private key operation using the RSA object and see that it >>>>> works. >>>> >>>> Do you mean that I should use RSA_sign instead of X509_sign? >>>> >>> >>> Again, >>> I am totally confused from the partial information you present. >>> So I cannot know what is best for you, and even why you are using >>> pkcs11-helper, as if I understand correctly you do not have hardware >>> device at all. >>> >>> Alon. >> >> > > OK, so now I understand. > So you have standard OpenSSL application that uses X509, RSA for TLS. > And you get these from pkcs11-helper, so what exactly is your problem? > it should work. As I mentioned that I need to use EEC credential to generate a proxy credential (process is the same as you use CA credential to generate a EEC credential). The the generation step, I need to use X509_sign (int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)) which needs private key for signing a X509 certificate. That is the reason I need to take private key out. Could you tell me how to use pkcs11-helper lib to sign a certificate without taking the private key out? to use pkcs11h_certificate_sign? Thanks Weizhong Qiang
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
