On Mar 7, 2012, at 2:12 PM, Sunjeet Singh wrote: > Thank you for your response. > >> I don't know if "outdated" is the word: perhaps there hasn't ever been much. > > Some old blogs are referencing helpful blogs/tutorials that are now expired. > Searching online didn't help either. > >> The CHIL Engine *only* registers for RSA exponentiation, and cannot be used >> to generate keys. You generate HSM protected keys of 'embed' application >> type using the Thales/nCipher 'generatekey' utility (invoke with --help to >> see what options are available), and use the embedsavefile as key for your >> openssl program with the CHIL engine registered. > > Pardon me. Indeed, I have been using the 'embed' application type for > generating RSA keys using nCipher 'generatekey' utility. > > After grappling at little more with this, I have come down to three specific > questions- > > 1. When you say 'embedsavefile' are you talking about the key blob that gets > saved in the Key Management folder of nCipher as-it-is, or do I need to apply > some padding/formatting to it first?
When you create an 'embed' type key (not 'hwcrhk', but 'embed'), the generatekey utility will save three files in addition to the key blob. They are named after the information you passed when generatekey asked for the 'embedsavefile': for instance if you passed 'fookey' as response, you will have fookey fookey_certreq fookey_selfcert The first one looks a lot like a private key, but it is a dummy key. This is the key file you pass to the OpenSSL library. It looks so much like a private key, that the library will just use it. However, when you use it with the CHIL engine registered, and the Hardware Crypto Hook library loaded, the Hardware Crypto Hook library will find embedded (hence 'embed') in the private exponent value for that dummy key a pointer to the real key, protected by the nCipher Security World and saved under the Key Management Data folder. If you care to run that fookey file through openssl: openssl rsa -in fookey -noout -text you will see that it is bogus: several values are identical that would differ for a real key. As bonus exercise, decode the private exponent as straight ASCII: you will see the pointer to the real key appear. This is for embed type keys: I have never had the opportunity to figure out how this would work for hwcrhk type keys. WARNING: if you try to use that dummy private key without the CHIL engine registered, the OpenSSL library will happily use the bogus key value for private key operations. You are almost guaranteed to get garbage results if this happens. > 2. My private key is ultimately protected by a smart-card pass-phrase. At > which step is the pass phrase supplied and how by an application that is > making use of the OpenSSL (CHIL) engine API? OpenSSL, CHIL and the Hardware Crypto Hook library lack the capability to prompt for smart cards and passphrases. You need to start your OpenSSL program out of the nCipher preload utility. Run preload --help to find out which options are available. > 3. If I want to use CryptoAPI instead of CHIL, what changes? I gather that > one immediate change would be that the private key will have to be imported > onto the HSM (assuming that nCipher generatekey can not generate CryptoAPI > keys). Other than that, CAPI engine for OpenSSL will have to be used. Any > other major changes that come to mind? I am wholly unfamiliar with the MS-CAPI engine. However, if you can use it and can set the CSP to "nCipher Enhanced Cryptographic Provider", you should be able to use hardware protected container keys. The nCipher generatekey utility cannot generate or import MS-CAPI keys. If the MS-CAPI Engine can generate keys, you might be able to use it through the nCipher CSP to generate hardware protected Signing and Exchange keypairs for your CAPI container. Another option, if you already generated a Security World protected RSA keypair for another application type, is to use the nCipher cspimport utility to bring it into the MS-CAPI environment. Note that you can contact Thales technical support as part of your support contract. They also sell Developer Support to help you with your code. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A View my availability: http://tungle.me/sctemme ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
