Re: integrating engine driver into openssl

[Bade]

On Mon, Apr 23, 2001 at 11:40:14AM -0700, Geoff Thorpe wrote:
> 
> Um, could you be more specific, because in various ways and forms this already
> *does* exist and is being used by a number of people. In fact, this doesn't even
> have much to do with the ENGINE API (although the engine code provides some
> extra specifics) ... the RSA, DSA, and DH code all directly support the ability
> to provide alternative "methods" with external implementations of these
> algorithms - and they do so in such a way that allow the keys to be opaque. That
> is, if the "method" can work with private keys inside HSMs rather than in
> memory, then OpenSSL doesn't mind.

Aha.. That's something I have not been able to figure out a clean way... Can
you give me a pointer in the right general direction.   I realize that it does
not have much to do with the engine code specifically, but it is a logical area
where the hooks might be added to generalize it.  

I've been asked several times to figure out how to hook a PKCS#11 token 
(regardless of ones personal feelings about PKCS#11) into openSSL.  Hooking 
the "mechanisms" into the very nice engine architecture is pretty straight
forward.  The problem comes in when having to represent the keys as PKCS#11
objects.  But it sounds like this may be possible as well...


> 
> ENGINE just provides a way to group these alternative implementations into
> logical units (eg. representing a hardware device that performs one or more of
> those algorithms) and provide some reliable form of reference management (eg.
> knowing if the ENGINE can safely unload handles, drivers, etc - something not
> possible just with RSA_METHODs and friends).
> 
> Regards,
> Geoff
> 
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

-- 
Steven A. Bade
AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture
[EMAIL PROTECTED]
T/L 678-4799
(512)-838-4799

--
To convert from Hogsheads to Cubic Feet - Multiply by 8.4219

"Two-way communication is necessary to proactively facilitate acceptance
and involvement and to get insights about the journey it takes to get where
we want"


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]