Dr S N Henson wrote: > >Eric Laroche wrote: >> >> Yes, I am aware of the OpenSSL engine interface. Our code applies >> quite similar mechanisms of feeding 'configuration' information (name/ >> value pairs) from application code. However, the engine command >> definitions affect the whole engine setting, whereas our configuration >> affects an abstraction called (key) 'object specification'. Each key >> or certificate may have quite different settings concerning where to >> accomplish encryption and which password callbacks to be applied, etc. >> >> The PKCS#11 object specification / configuration seems to me to be a >> different concept compared to the engine configuration. However, the >> PKCS#11 interface may be seen as a 'PKCS#11' engine. >> > > How could crypto acceleration or querying capabilities be handled in > this model?
Querying capabilities (PKCS#11 calls them 'mechanisms') is already implemented in the code's lower level routines. However, since at the moment, only asymmetric ciphers access is implemented, a protocol of asking all capabilities and setting methods accordingly wasn't yet so much an issue. The information about the capabilities could be deployed at method resolution time, where hooks into PKCS#11 acceleration callers could be set up. There probably needs to be a notation/configuration on which hardware crypto mechanisms to use and which not, since e.g. symmetric en/decryption of small blocks tends to be faster on CPU than on crypto hardware, due to the I/O overhead. > I was thinking that a possible way to handle this is to map a specific > PKCS#11 library+token to an ENGINE. This would behave a bit like the > dynamic ENGINE in that the PKCS#11 ENGINE would be called with a set of > init commands which would then produce a second ENGINE which would refer > to the actual PKCS#11 implementation. This sounds like a reasonable approach to a part of the desired OpenSSL PKCS#11 - ENGINE integration. The dynamic engine method resolution may need to be extended or complemented, to allow method dispatching on a key basis. This has, in our code, been done outside the actual engine code, but the (dynamic) engine code might be a more suited place for that. Regards, Eric ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
