pkcs11 engine for openssl

Tue, 23 Apr 2002 00:16:54 -0700

Based on openssl-engine-0.9.6c, we have developed a new engine which allows
openssl applications and Apache-mod_ssl servers to use through a PKCS#11
interface the security functions provided by the Bull trustway cc2000 cryptographic
card, taking advantage of key storage in secure memory and acceleration of
RSA and random functions.
RSA keys are introduced using PKCS#11 C_GenerateKeyPair standard function.
To be able to use the openssl commands allowing to generate and handle RSA
keys, the trustway engine introduces 4 additionnal entries in the RSA method:
    -  rsa_generate_key
    -  i2d_RSAPrivateKey
    -  d2i_RSAPrivateKey
    -  d2i_RSAPublicKey
Other RSA methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc,
rsa_sign, rsa, rsa_verify) are available.
The Trustway (PKCS#11) engine identifier is "trustway".
The server certificate must be created as using the trustway engine, in
order to generate the corresponding  RSA key pair directly in the crypto
card. These keys are CKA_TOKEN (permanent). A modified version of
openssl CA.sh, "CA-trustway.sh" does that.
Temporary RSA keys are created through the application (mod_ssl i.e.) by
calling the trustway engine. Obviously, these keys are CKA_SESSION
(temporary). As they are session objects, they are destroyed when the
PKCS#11 session is closed when the process terminates.
The functions which initialize and terminate the engine library take charge
of loading and unloading the PKCS#11 shared library. Ours is based on
"gpkcs11".
PKCS#11 C_Initialize function is called just once.
For a given process, each RSA cryptographic operation carried out by the
engine uses the same PKCS#11 session.
Two patch files openssl-engine-0.9.6c-tw.patch and
mod_ssl-2.8.8-1.3.24-tw.patch are provided to be applied to openssl-engine
and modssl. The new engine code is in the file "hw_trustway.c". Some
installation, and configuration procedures are also provided in our release.
This development is tested on a Linux machine with a cc2000 crypto
accelerator which increases raw server throughput to 400 requests per
second.

Afchine
______________________________________
[EMAIL PROTECTED]
Bull Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Attachment: mod_ssl-2.8.8-1.3.24-tw.patch
Description: Binary data

Attachment: openssl-engine-0.9.6c-tw.patch
Description: Binary data

Reply via email to