Hi Douglas,
Thanks for this - I will start looking through this shortly. Can I ask if you've
given thought to licensing issues - can this code be released in OpenSSL under
the OpenSSL licensing (with no additional restrictions? If not, I suspect we'd
have to work out a way to late-bind everything so code covered by other licenses
can stay unbundled).
Regards,
Geoff
On Mon, 9 Jul 2001, Douglas E. Engert wrote:
> As part of the Globus project, we added support for PKCS#11 to OPenSSL. We have used
> the Windows DLLs provided with the IButton, GemPlus, and Schlumber. We also
> tested the Lintronic SDK on Solaris. Should work with the IButton on unix as well.
>
> The GSI implements a GSSAPI on top of SSL. Certificates and
> keys can be stored on the smartcard, and modified versions of
> RSA_eay_private_* can use the PKCS#11 C_Sign to have the smartcard do the
> RSA operations on the card. These are contained in the routine scutils.c
> The PKCS#11 session and object handles are stored in the RSA ex_data fields.
> and the object methods point to this modified routines.
> So there are no real changes to OpenSSL.
>
> The GSI can be obtained from ftp://ftp.globus.org/pub/gsi/gsi-041701.tar.gz
> More information can be obtained from http://www.globus.org/security
>
> Drop me a note if this is helpful.
>
>
> "Steven A. Bade" wrote:
> >
> > I believe recently 2 individuals posted something about having
> > implemented PKCS#11 support for some level of tokens. The one I can
> > remember was from Eracom....
> > On Thu, Jun 28, 2001 at 09:33:44AM -0700, Geoff Thorpe wrote:
> > > Hi there,
> > >
> > > On Thu, 28 Jun 2001, Rainer Kaufmann wrote:
> > >
> > > > I can't belive it... nobody did use (patch) OpenSSL with client certificates
> > > > on smart cards ?
> > >
> > > There has been more than one person I've communicated with who was in the midst
> > > of adding an ENGINE to support pkcs11 tokens. If you scan the archives (see
> > > www.openssl.org for a link) you may be able to track down the last couple of
> > > discussions on this subject to catch up on things. There is support for a
> > > variety of cryptographic hardware, including hardware that can support key
> > > management - however none of them use a pkcs11 interface. Apart from pkcs11
> > > being a PITA standard to operate with, it is also faster in the existing cases
> > > to go directly to the hardware's preferred API than to try and go via something
> > > like pkcs11.
> > >
> > > However, having openssl support arbitrary pkcs11 devices (well as arbitrary as
> > > any pkcs11 support can be given the plethora of broken or fudged
> > > implementations) would be a very handy addition. I'm happy to help where
> > > possible with this (ie. anything openssl-side), but have neither the physical
> > > hardware nor time to get involved in testing pkcs11 support.
> > >
> > > Regards,
> > > Geoff
> > >
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > Development Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> >
> > --
> > Steven A. Bade
> > AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture
> > [EMAIL PROTECTED]
> > T/L 678-4799
> > (512)-838-4799
> >
> > --
> > To convert from Hogsheads to Cubic Feet - Multiply by 8.4219
> >
> > "Two-way communication is necessary to proactively facilitate acceptance
> > and involvement and to get insights about the journey it takes to get where
> > we want"
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
