RE: ENGINE issues
IIRC the Luna CA3 is FIPS140-2 LEVEL 3 which means it won't allow you under nay circumstances to extract the private key from the device (non-extractable, sensitive in PKCS#11 parlance). What this means is that you need to send the data to the device to be signed (don't know how to do this using openssl), rather than extracting the key and using openssl to do the crypto in software. Dave __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ENGINE issues
On Thu, 13 Jan 2005 12:27:57 - David C. Partridge [EMAIL PROTECTED] wrote: IIRC the Luna CA3 is FIPS140-2 LEVEL 3 which means it won't allow you under nay circumstances to extract the private key from the device (non-extractable, sensitive in PKCS#11 parlance). What this means is that you need to send the data to the device to be signed (don't know how to do this using openssl), rather than extracting the key and using openssl to do the crypto in software. My intention was not to extract the key but to tell OpenSSL to use a particular key, thus I need a way to generate a reference to the key. I just taken as an example the code from openssl, but there is something I am doing wrong somewhere... All I want to do is to enable ENGINE so all crypto operations are performed on the LunaSA (and probably I am missing something important here :-( ) and to use the Key sored on the device, not a software one. Does anybody have experiences (also with other hardware) that may be of some help ??? Thank you, byz. --- Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Fwd: RE : ENGINE issues
--- the forwarded message follows --- ---BeginMessage--- On Thu, 13 Jan 2005 16:26:33 +0100 Frédéric Donnat [EMAIL PROTECTED] wrote: Hi Massimo, Hi, As far as I know it you must LOAD (pre command I think) the ENGINE to correctly set all ENGINE function pointers... And thus initialize openssl with your ENGINE. Did you do it? Yes, init of the ENGINE works fine. You should be able to get a priovate key handle but not the private key paramters according to PKCS#11. I have done such thing with a Bull PKCS 11 module and their PKCS#11 patch and it works fine. You could try to trace Luna ENGINE in ENGINE_load_private_key() function in order to find the faulty part of code. This is what I have done... and I found that they simply did not implemented the ENGINE_load_private_key()... I am trying to implement it... but it is quite hard to do it in less than one day. I hope they will respond to my requests sending me the missing functions (also the ENGINE_load_public_key() is missing, but this is not an issue... at the moment!). It sounds really strange, anyway, that this function is missing... as this implies that no ENGINE support is there to use private keys directly on the LunaCA/SA!?!? Anyway if you have some code you can send me about your implementation, I would be glad to take a look at it in order to check my implementation. Thx, for your help. -- Massimiliano Pala ---End Message---
Re: ENGINE issues
On Thu, Jan 13, 2005, Massimiliano Pala wrote: On Thu, 13 Jan 2005 12:27:57 - David C. Partridge [EMAIL PROTECTED] wrote: I just taken as an example the code from openssl, but there is something I am doing wrong somewhere... All I want to do is to enable ENGINE so all crypto operations are performed on the LunaSA (and probably I am missing something important here :-( ) and to use the Key sored on the device, not a software one. Does anybody have experiences (also with other hardware) that may be of some help ??? The nCipher (nFast/Chil) ENGINE can use hardware keys. There's also a test operation in the openssl test engine which just loads froma PEM file. I suggest you put debugging printfs in your code to check it's load private key function is actually being called. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]