Hi Fred, > " Frederic DONNAT" <[EMAIL PROTECTED]> wrote: > Hi, > First of all, thanks for your answer. ;) > A few question about your PKCS#11 ENGINE. > When you say that the stored private key can be load: > - do you mean that one can get it from the store? > -or do you mean that one can use it through ENGINE method without having real > access to the private key?
Our PKCS#11 engine uses the right way and secure way (that means the second one) , using the PKCS#11 api through the ENGINE method to access keys. > I think the rigth way of using PKCS#11 is the second one (even if PKCS#11 > allows to store, generate, ... private key and get there attribute ...) So, you're right, that' the good way! > So, is your ENGINE able to get insert the a private key into the store and redirect > all computation using this private key directly on the store providing full security >for > this private key? (without loading it from the store and retransmitting it to the >store > in the correct function, in a few words as PKCS#11 standard specify it!) That' the case of our PKCS#11 engine. Our engine allows openssl applications and apache-mod_ssl servers i.e to use through a PKCS#11 interface the security functions provided by cryptographic card. RSA keys are inserted using PKCS#11 C_GenerateKeyPair standard function. To be able to use the openssl commands allowing to generate and handle RSA keys, the PKCS#11 engine introduces 4 additionnal entries in the RSA method: rsa_generate_key, i2d_RSAPrivateKey, d2i_RSAPrivateKey & d2i_RSAPublicKey. Other RSA methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc, rsa_sign, rsa, rsa_verify) are available. Temporary RSA keys are also created through the application (mod_ssl i.e.) by calling the PKCS#11 engine. > Is your ENGINE able to redirect this computation on a smartcard using a PKCS# 11 > interface for example? > Regards > Fred This PKCS#11 engine is tested on the Bull Trystway CC2000 PKCS#11 crypto card, taking advantage of key storage in secure memory and acceleration of RSA and random functions on mutiple OS (Linux, W2K, NT). It also provides the ability to use remote calls through RPC to use a Crypto Box with a PKCS#11 trustway crypto card inside. Cheers Afchine [EMAIL PROTECTED] Bull - Trustway R&D - Networking & Security http://www.servers.bull.com/trustway ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]