This has been a very busy thread over night. As co-author of http://www.ietf.org/rfc/rfc3820.txt and having worked on the Globus GSI code from 1996-2004 I would like to make some comments. At the 1998 Supercomputing conference in Orlando, I was issuing Globus smartcards which could be used with grid-proxy-init using PKCS#11 and Litronic smart cards. So signing a proxy can be done using a smart card without the key leaving the card.
The key to be used in the proxy certificate still needs to be generated and stored somewhere. It needs to be stored unencrypted, as it is used automatically (no user input of a PIN or passphrase) so access to the key is the main security concern. (If the key was encrypted, the encryption key or passphrase would need to be stored and protected, which is another approach.) You appear to want to use the NSS softtoken code, but this code still needs to store the proxy key unencrypted somewhere. The original GSI stored this in a file. As best I can tell you want to store this in some other format and maybe in memory? NSS and OpenSSL are both top level APIs for crypto. NSS can call PKCS#11 easily. OpenSSL can call PKCS#11 via the engine_pkcs11. So either could be used if the original EEC and its key are on a smartcard and used to sign a proxy certificate. i.e. you never get the key off the card. The proxy certificate and key can be created by either, but both will store the proxy key in different formats. NSS wants to store in a database. The question is how to export/import the proxy certificate between applications that that use the other: NSS vs OpenSSL. As Alan pointed out pk12 may be the way to transfer the proxy cert and key between the two. But the security concerns still comes down to protecting the proxy key without requiring user intervention when using the proxy. I am not sure if NSS gives you any more security. On 11/10/2011 8:40 AM, Alon Bar-Lev wrote: > On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang<weizhongqi...@gmail.com> > wrote: >> As I mentioned that I need to use EEC credential to generate a proxy >> credential (process is the same as you use CA credential to generate a EEC >> credential). >> The the generation step, I need to use X509_sign (int X509_sign(X509 *x, >> EVP_PKEY *pkey, const EVP_MD *md)) which needs private key for signing a >> X509 certificate. >> That is the reason I need to take private key out. And no you don't need the key out, you need to be able to have the hash signed. You can use the engine code in the OpenSSL to sign. (The engine code was not available in 1998, and so a lot of PKCS#11 code was added to grid-proxy-init.) >> Could you tell me how to use pkcs11-helper lib to sign a certificate without >> taking the private key out? to use pkcs11h_certificate_sign? >> Thanks >> Weizhong Qiang >> >> >> > > No, you should use X509_sign(). > Why not use EVP_PKEY_assign_RSA(pk,rsa) and use pk? > Not sure but maybe X509_set_pubkey(x509,pk) will be needed. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
