Hi Gilad, You have to made some little changes in mod_ssl (like defining SSL_EXPERIMENTAL_ENGINE , generating temp keys, how to init & terminate the engine). In attached you can find my patch to mod_ssl. Once you have initialized the engine in your application, your RSA_method calls are redireted to the engine instead of the software crypto. In the case of the actual pkcs#11 engine, RSA, random & load_key are called true the engine, but EVP calls (cipher & digest), and DH & DSA aren't yet implemented. I am working to complete that and also to map the new store_key (0.9.8) to my RSA generate added in the RSA_method. So we can have a more generic and complete pkcs#11 engine when I'll finished this work! Regards, Afchine ______________________________________ [EMAIL PROTECTED] Bull TrustWay R&D http://www.trustway.bull.com
----- Original Message ----- From: "Gilad Finkelstein" <[EMAIL PROTECTED]> To: "'Afchine Madjlessi'" <[EMAIL PROTECTED]> Sent: Wednesday, June 18, 2003 7:33 PM Subject: RE: pkcs#11 engine for openssl > HI Afchine, > I probably do not understand fully the concept of the engine module in > openssl maybe you can help. > > My understanding is that you must call certain ENGINE_ API so that from that > point on every regular call to libeay32 function that involves crypto and is > supported by the engine will be directed to the engine. > The SSLeay32 lib does not know about engines at all.(and for that meter any > other library that is based on libeay32 or ssleay32) > > I read you tested the patch with mod_ssl which is based on openssl. > My hope is you did not have to change any code in the mod_ssl to make it > work with pkcs#11 engine, in that case how did you manage to "tell" mod_ssl > -> ssleay32 ->libeay32 to use pkcs#11 engine ? > Is their some parameter you can use via mod_ssl or ssleay32 that sets > specific engine usage on ? > > If you did change the mod_ssl can you please tell me what functions you need > to use to invoke the Engine and where. > > My idea (if that is not supported already) is to allow automatic > initialization of the libeay32 library with a specific engines when a > certain environment variable is on (USE_OPENSSL_ENGINES) with the value of > the engine id name. > This way all relaying libraries will be able to use the engine transparently > without the need of calling the Initialization logic of a certain engine. > What do you think ? > > > Gilad > > > -----Original Message----- > From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] > Sent: Monday, June 16, 2003 11:18 AM > To: Gilad Finkelstein > Cc: [EMAIL PROTECTED]; Ren? Martin > Subject: Re: pkcs#11 engine for openssl > > > Hi Gilad, > Thanks for your advice. > I don't use C_Login in the, because the session is always public, and if > it's called, > the C_Login returns always CKR_OK. (case of crypto hardware). > In case of smartcards , you're right, it is mandatory to add a C_Login to > take into > the user session. > So, I agree with you to add the C_Login to the open session function. > I think that each evolution and ability added to the pkcs#11 engine , > like creating certificate on the hardware, is welcome. > > Regards > Afchine > ______________________________________ > [EMAIL PROTECTED] > Bull TrustWay R&D > http://www.trustway.bull.com > > ----- Original Message ----- > From: "Gilad Finkelstein" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 16, 2003 11:20 AM > Subject: FW: pkcs#11 engine for openssl newbie question > > > > Hi, > > My apologizes for the first item (pack requirements) > > I have checked the code and found your remark on setting the CK_Win32 to > > enable pack of 1 on windows platforms. > > > > I had to add a C_Login in your open session function to enable access to > the > > private keys for sign and generate operations. (And I think you would > agree > > this should be the generic case of pkcs#11 implementation) > > > > I would also like to add the ability to create the certificate on the > > hardware token and not as a file. > > > > > > > > Thanks for your help > > > > Gilad > > > > > > > > -----Original Message----- > > From: Gilad Finkelstein > > Sent: Sunday, June 15, 2003 11:48 AM > > To: 'Afchine Madjlessi' > > Subject: RE: pkcs#11 engine for openssl newbie question > > > > > > Hi, > > I have progressed allot and can inform you of the following information I > > found. > > 1. Your code assumes pkcs11 function structure list pack of 4, my > > cryptoLibrary uses pack 1 (and so is RSA one) I think it would be safer to > > use pack 1 when compiling on win32 platform (using the #pragma pack) > > 2. I do not understand how your code successfully generates a key pair > > without C_Login first. > > It seems not to use the pkcs#11 standard of C_Login when ever a private > key > > operation is required. > > I added in my code a pkcs#11_login for cases like this and now I am able > to > > generate keys on my hardware. > > > > If I find more things I will let you know. > > Gilad > > > > > > -----Original Message----- > > From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, June 11, 2003 4:18 PM > > To: Gilad Finkelstein > > Subject: Re: pkcs#11 engine for openssl newbie question > > > > > > By default the pkcs#11 engine looks for the bull hardware crypto. > > For your purpose you have to undef BULL_CC2000 and in the hw_pkcs11.c > > (in crypto/engine directory) and recompile. > > Then your pkcs#11 api library must be called libpkcs11.so on linux or > > pkcs11.dll on win32. > > Good luck > > Afchine > > > > > > ----- Original Message ----- > > From: "Gilad Finkelstein" <[EMAIL PROTECTED]> > > To: "'Afchine Madjlessi'" <[EMAIL PROTECTED]> > > Sent: Wednesday, June 11, 2003 4:57 PM > > Subject: RE: pkcs#11 engine for openssl newbie question > > > > > > > Thanks for your reply, > > > I tried the script and got signal 11 on every attempt. > > > Is the engine looking for a certain pkcs#11 library name (e.g pkcs11.so > || > > > pkcs11.dll ) ? > > > I use cygwin on windows2000 with a xxxx.dll for pkcs#11 interface to my > > > smart card. > > > > > > Gilad > > > > > > -----Original Message----- > > > From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, June 11, 2003 3:37 PM > > > To: Gilad Finkelstein > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: pkcs#11 engine for openssl newbie question > > > > > > > > > Hi, > > > I used the joined shell to generate key pair on my crypto hardware, a > CSR, > > > and make a self-signed certificate. > > > Regards > > > Afchine Madjlessi > > > > > > ----- Original Message ----- > > > From: "Gilad Finkelstein" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, June 11, 2003 4:21 PM > > > Subject: pkcs#11 engine for openssl newbie question > > > > > > > > > > HI, > > > > I address you as a last resort since I can not find any answers in > > openssl > > > > groups/web on how to use engines in general and pkcs#11 interface in > > > > particular. > > > > Can you please direct me to a descent place where I can see how to use > > > your > > > > generic pkcs#11 openssl engine. > > > > Can a simple test be run via openssl util ? how ? any other test that > > for > > > > example generates RSA key on my smart card ? > > > > I was able to compile openssl 0.97 with your patch but I am not sure > > what > > > > should I do next (I compiled both on Linux and on Windows using > cygwin) > > > > If I am able to use openssl over my hardware PKCS#11 token I intend to > > > write > > > > a FAQ on how to achive that (if that was not written already > somewhere ) > > > > > > > > Thanks > > > > Gilad Finkelstein > > > >
tw-mod_ssl-2.8.14-1.3.27.patch
Description: Binary data