There are some things that are "quite hard" problems doing it the other way round. FIPS certification with the OpenSSL engine plugin active is probably the worst. With PKCS#11 on top of OpenSSL you have an "industry standard" API, which most hardware cards support. So you could swap a FIPS certified hardware card with a FIPS certified PKCS#11 on top of OpenSSL. Using OpenSSL with the engine code underneath doesn't make much sense in this context.
Note that IBM does have an open source PKCS#11 which sits on top of OpenSSL, search for opencryptoki. That doesn't solve the FIPS problem though due to some details of it's design. There are downsides in PKCS#11, various vendors have interpreted the standard in their own unique manner - so even though it's "standardized", you still need some implementation specific code to function across vendor implementations. It also has more (a lot more) setup overhead than OpenSSL and although the user API isn't bad to implement, the provider side is painful. I can guarantee it's feasible, but it is a lot of work. Peter From: "Victor B. Wagner" <[EMAIL PROTECTED]> To: openssl-dev@openssl.org Date: 19/11/2007 20:27 Subject: PKCS#11 wrapper around OpenSSL I was asked by one user if we are planning to provide PKCS#11 module, based on OpenSSL (it was in the context of adding GOST algorithms support to the Mozilla-based software). I doubt is this solution is technically feasable. As far as I know, most people do it other way around - write interfaces which allow to USE PKCS#11 modules from within OpenSSL. I've seen at least two engines which interface external PKCS#11 modules, and both are incomplete, so if there is a PKCS#11 module which implements new public key algorithm, they wouldn't allow to use it. But question is - is it a good idea to write PKCS#11 module which uses OpenSSL (with all its engine support) for cryptography and supports everything OpenSSL supports. I haven't studied PKCS#11 specification in great detail - it is very huge. From the first glance it looks like just a big enough coding effort - OpenSSL contains all neccessary cryptography routines and ASN.1 support to provide PKCS#11 interface. May be someone on this list hav dug a bit deeper in the PKCS#11 specification and can give more arguments pro or contra? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]