"Steven A. Bade" wrote:
>
> I believe recently 2 individuals posted something about having
> implemented PKCS#11 support for some level of tokens.
We have had PKCS#11 support with SSLeay and OpenSSL since 1998.
as part of the Globus Project(tm) http://www.globus.org
The RSA structure was extened using the ex_data to contain the
PKCS#11 handles for the session and private key.
The RSA method is then replaced with a method with rsa_priv_enc
and rsa_priv_dec pointing at modified versions which
use PKCS#11 calls, so the key never comes off the card.
There are other routines which load a cert from the card.
See ftp://ftp.globus.org/pub/gsi/gsi-041701.tar.gz for a verison
which works with OpenSSL-0.9.6.
We have used I-Buttons, Schumberger and GemPlus cards under Windows
and had a version working on Solaris at one time.
Hope this helps.
The one I can
> remember was from Eracom....
> On Thu, Jun 28, 2001 at 09:33:44AM -0700, Geoff Thorpe wrote:
> > Hi there,
> >
> > On Thu, 28 Jun 2001, Rainer Kaufmann wrote:
> >
> > > I can't belive it... nobody did use (patch) OpenSSL with client certificates
> > > on smart cards ?
> >
> > There has been more than one person I've communicated with who was in the midst
> > of adding an ENGINE to support pkcs11 tokens. If you scan the archives (see
> > www.openssl.org for a link) you may be able to track down the last couple of
> > discussions on this subject to catch up on things. There is support for a
> > variety of cryptographic hardware, including hardware that can support key
> > management - however none of them use a pkcs11 interface. Apart from pkcs11
> > being a PITA standard to operate with, it is also faster in the existing cases
> > to go directly to the hardware's preferred API than to try and go via something
> > like pkcs11.
> >
> > However, having openssl support arbitrary pkcs11 devices (well as arbitrary as
> > any pkcs11 support can be given the plethora of broken or fudged
> > implementations) would be a very handy addition. I'm happy to help where
> > possible with this (ie. anything openssl-side), but have neither the physical
> > hardware nor time to get involved in testing pkcs11 support.
> >
> > Regards,
> > Geoff
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> --
> Steven A. Bade
> AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture
> [EMAIL PROTECTED]
> T/L 678-4799
> (512)-838-4799
>
> --
> To convert from Hogsheads to Cubic Feet - Multiply by 8.4219
>
> "Two-way communication is necessary to proactively facilitate acceptance
> and involvement and to get insights about the journey it takes to get where
> we want"
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
