"Richard Levitte via RT" <[EMAIL PROTECTED]> writes: > > I've just started looking at this, and I've got a couple of > questions: > > 1. could this engine be considered a general PKCS#11 engine, or are > there specific ties to Trustway. I'd prefer to see a general > PKCS#11 engine. >
This engine is a general PKCS#11 engine. I tested it first with the PKCS#11 library developped by Lutz Behnke (libgpkcs11.so) and its software token (libceay_tok.so). It is possible to make a general PKCS#11 engine and just put specific ties, if any, for multiple hardwares. In Trustway case, the only specific tie is the name of PKCS#11 library to load and some controls added when loading it. Our code depends on gpkcs11 include files (cryptoki.h, pkcs11.h, ...); it is possible to add them to our patch. > 2. Those extra functions in the RSA method, are they really needed? > I understand that they provide a lot of automagic things, but then > it should be added in the ENGINE framework as something that would > be potentially available for any hardware (that supports that extra > functionality). Also, when it comes to loading keys, the current > modus operandi is to explicitely use the ENGINE key loading > functions rather than having some implicit functionality going on. > The reason is that we'd prefer not to surprise the users too much. > The Bull Trustway CC2000 isn't only a cryptographic accelerator card, it is a high level security hardware providing key generation and storage in secure memory. That's why we can't use ENGINE key loading functions. Yes those extra functions are really needed when using this kind of hardware. afchine ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
