hi, On Nov 10, 2011, at 2:18 PM, Jan Just Keijser wrote:
> Alon Bar-Lev wrote: >> On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang <weizhongqi...@gmail.com> >> wrote: >> >>> hi Alon, >>> Sorry that I make you be confused. >>> >>> On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote: >>> >>> >>>> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang <weizhongqi...@gmail.com> >>>> wrote: >>>> >>>>>> OpenSSL is fully compatible with this approach, having RSA object that >>>>>> can be used for crypto operation without actually having the private >>>>>> key. This is done via the concept of "engine" which delegate the >>>>>> crypto calls to the hardware device. >>>>>> >>>>> Should I installed the "engine_pkcs11" to get the nss softoken work? >>>>> >>>>> >>>> Hmmm..... What EXACTLY are you trying to do? >>>> >>> I need to use the credential in smart card to generate a proxy credential >>> (which will not be inside the softoken) for the use case of Grid computing. >>> (see RFC 3820 for the definition of proxy certificate) >>> The current solution in Grid use case is that: the EEC credential is >>> located as two files (e.g., usercert.pem, userkey.pem). We need to replace >>> it because the smart card storage provide more security. >>> >>> Now we choose nss softoken rather than hardware smart card, because of two >>> reasons: >>> 1, in the development stage, we would choose nss softoken, because it >>> provide the same interface as hardware device. >>> 2, in the applications other than Grid, such as web applications, nss >>> softoken is more general to be used. So we would like users switch from >>> existing web applications to Grid, without the need to manage the two >>> files: usercert.pem and userkey.pem >>> >>> >>> >>>> Why do you use the NSS soft token and access it via OpenSSL? >>>> >>> Our current code (such as the proxy credential generation, TLS >>> communication, etc.) is based on OpenSSL. So for the purpose of minimizing >>> the development effort, we still need to use OpenSSL. >>> The reason why I asked how to retrieve private key out, is because with the >>> X509 and private key out, I can reuse the current code to generating proxy >>> certificate. >>> >>> >>>> Either stick with NSS or use OpenSSL. >>>> Where is the hardware device? >>>> >>> There is no hardware currently. But I thought if my code can contact with >>> nss softoken, it can also contact with hardware device, because of the >>> pkcs11 standard. >>> >>> >>> >>>> Which component's PKCS#11 are you trying to access? >>>> >>> Currently only nss softoken. >>> >>> Thanks >>> Weizhong Qiang >>> >>> >>>>>> Try to perform private key operation using the RSA object and see that >>>>>> it works. >>>>>> >>>>> Do you mean that I should use RSA_sign instead of X509_sign? >>>>> >>>>> >>>> Again, >>>> I am totally confused from the partial information you present. >>>> So I cannot know what is best for you, and even why you are using >>>> pkcs11-helper, as if I understand correctly you do not have hardware >>>> device at all. >>>> >>>> Alon. >>>> >>> >> >> OK, so now I understand. >> So you have standard OpenSSL application that uses X509, RSA for TLS. >> And you get these from pkcs11-helper, so what exactly is your problem? >> it should work. >> _______________________________________________ >> >> > > actually, the problem is that an nss softtoken is not a fully 100% compliant > PKCS11 device - see > https://lists.strongswan.org/pipermail/users/2007-July/001900.html > for details. I've been looking into the same issue a few years back but never > decided to modify the pkcs11-helper code to support the nss softtokens. I thinks the compliant issue has been solved in pkcs11-helper version 1.08 and above. The issue has been discussed in this thread: http://www.opensc-project.org/pipermail/opensc-user/2009-March/002949.html Weizhong Qiang > > cheers, > > JJK > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
