Hi developers,
I reworked some of our (AdNovum's) previously posted OpenSSL PKCS#11 code. Code robustness has been enhanced and the code is (so I hope) clearer, and better layered (into a core PKCS#11 part and a PKCS#11 token object finding (keys, certs) part). The object finding logic has been enhanced to allow 'denormalized(?)' keys and certificates to be found and loaded (e.g. private keys missing modulus attribute, or certificates missing the (rsa) key type...). The token object specification format has been widened. It is now more powerful and more intuitive, using name/value pairs, e.g.: "pkcs11:library=cryptoki&tokenlabel=eric&objectlabel=two&dologin=true" The object specification format is now open to allow the notation of such things as: 'should a sign/verify request be handled by the token or by openssl?' (non-extractable/sensitive keys vs. speed issues...). however, that has not been implemented yet; sensitive operations such as signatures are generally done by the token, verifies are done by OpenSSL (which is faster, in most cases). Some open issues are: - Thread safeness issues are not exhaustively done. - There are still some (minor) TODOs scattered in the code. - It needs, of course, more test cases, with more use patterns. Best regards, Eric -- Eric Laroche <[EMAIL PROTECTED]>, AdNovum Informatik AG
pkcs11-adnovum-20011212.tar.gz
Description: GNU Zip compressed data
