[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2014-09-10 Thread Rich Salz via RT 
This was obsoleted by ticket 913, which I closed as something too old that
we're not going to do. So closing this.

Having said that (twice, actually), a PKCS11 ENGINE would be a cool thing to
have.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #11] pkcs11 engine for openssl 0.9.7d

2004-07-08 Thread via RT 



update for openssl 0.9.7d

[EMAIL PROTECTED]
Bull TrustWay
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-10-28 Thread via RT 

update & bug corrections for the pkcs#11 engine (0.9.7c)
please take care to update the openssl contributions page by this new
patch.
regards

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-10-28 Thread via RT 

update & bug corrections for the pkcs#11 engine (0.9.6k)
please take care to update the openssl contributions page by this new 
patch.
regards
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-06-11 Thread Richard Levitte via RT 

And oh, it might be interesting to port this to use the new STORE type
in 0.9.8-dev, which supports key generation...

[levitte - Thu Jun 12 03:27:57 2003]:

> I've added the two latest contributions to
> http://www.openssl.org/contrib/.


-- 
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-06-11 Thread Richard Levitte via RT 

I've added the two latest contributions to
http://www.openssl.org/contrib/.

-- 
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-01-30 Thread via RT 

__
> [EMAIL PROTECTED]
> Bull TrustWay R&D, France
> http://www.servers.bull.com/trustway
> 


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2003-01-30 Thread via RT 

Hello Richard,


> Richard Levitte via RT wrote:
>
> It's unfortunate that cryptoki.h is GPLd, or I would put it in our
contribution area.
>
> GPL is not compatible with the OpenSSL license.  Is it possible to 
get a
different cryptoki.h?


I got the original cryptoki.h which is not GPLd from RSA and is a 
sample for
Windows environment. I have added necessary changes for Unix-like 
platforms.

> Also, is conf.h really necssary?

You're absolutely right, conf.h is not necessary. I take it off.

> I'm willing to do the transformation needed for this bundle to work
properly within OpenSSL.

So, you can find attached to this mail updates taking in account your
advice.

Cheers,
Afchine Madjlessi

__
[EMAIL PROTECTED]
Bull TrustWay R&D, France
http://www.servers.bull.com/trustway

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] pkcs11 engine for openssl (0.9.7-beta6)

2002-12-17 Thread via RT 

This is the last patch which implement a PKCS#11 engine in openssl 
0.9.7.
It has been tested with openssl commands, secure apache web server 
1.3.27 + mod_ssl 2.8.12 and openca 0.9.0 on Linux with a CC2000 Bull 
TrustWay cryptographic card offering PKCS#11 interface.
Openssl commands tests have been done also on Windows and AIX platforms.
I hope this contribution helps to incorporate a pkcs#11 engine in a 
next version of openssl.
Afchine Madjlessi

Bull TrustWay
[EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread via RT 

The new patch for pkcs#11 engine on openssl 0.9.7 delivered today to 
RT/openssl corrects compile problem in windows platform. 
Thanks to your advice!
Afchine Madjlessi
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread via RT 

The new patch for pkcs#11 engine on openssl 0.9.7 delivered today to 
RT/openssl corrects compile problem in windows platform. 
Thanks to your advice!
Afchine Madjlessi
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread afchine madjlessi via RT 

I have tested the PKCS#11 engine on Linux (linux-elf).
It will be very nice to submit your changes and correction for other
environments to RT/openssl or if you prefer send them diectly to me to
update the pkcs#11 engine patch.

Thanks,
Afchine
- Original Message -
From: " via RT" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, December 16, 2002 9:47 AM
Subject: [openssl.org #11] Fw: trustway pkcs11 engine for openssl


>
> It's so nice that someone provided pkcs11 enginge patch.
> Thanks a lot, Afchine Madjlessi...
>
> However I have one problem while compling openssl 0.9.7 beta5 with this
> patch on Windows 2000. I just followed the instructions described
> in "intall.w32" from openssl 0.9.7 beta5:
>
> 1. perl Configure VC-WIN32=> OK
>
> 2. ms\do_ms   => WARNING
>
> D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 16
> libeay  1>ms\l
> ibeay16.def
> Warning: ENGINE_load_pkcs11 does not have a number assigned
>
> D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 32
> libeay  1>ms\l
> ibeay32.def
> Warning: ENGINE_load_pkcs11 does not have a number assigned
>
> 3. nmake -f ms\ntdll.mak   => ERROR
>
> NMAKE : fatal error U1073: don't know how to
> make '.\crypto\engine\hw_pkcs11.c'
> Stop.
>
> Then I move all the source codes from \crypto\engine\pkcs11 to
> \crypto\engine\, and execute nmake -f ms\ntdll.mak again.But it still
> didn't work.
>
> cl /Fotmp32dll\hw_pkcs11.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2
>  /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -
> DWIN32_LEAN_AND_MEAN -DL_END
> IAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -
> DOPENSSL
> _NO_KRB5 -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -
> c .\crypto\engine\hw_pkcs11.c
> hw_pkcs11.c
> .\crypto\engine\hw_pkcs11.c(13) : fatal error C1083: Cannot open
> include file: '
> unistd.h': No such file or directory
> NMAKE : fatal error U1077: 'cl' : return code '0x2'
> Stop.
>
>
> Could anyone fix this problem? Thanks very much...
>
>
>
> [guest - Fri Dec 13 15:23:00 2002]:
>
> > Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5
> > This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the
> > CC2000 Bull TrustWay hardware. If needed, I can provide also the
> patch
> > to use with mod_ssl and some tools to create and sign certificate
> > requests.
> > In this new release of the pkcs#11 engine, I have added just the
> > rsa_generate_key in the RSA_METHOD. This call permit to generate and
> > put the private key in the crypto hardware. load_private_key and
> > load_public_key engine calls are also added to this engine.
> > All the PKCS#11 function calls are done through C_GetFunctionList. So
> > the engine could be used with different pkcs#11 and token libraries.
> > There is also a possibility to use a remote crypto box.
> >
> > Afchine Madjlessi
> > __
> > [EMAIL PROTECTED]
> > Bull TrustWay R&D
> > http://www.servers.bull.com/trustway
> >
>
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread afchine madjlessi 
I have tested the PKCS#11 engine on Linux (linux-elf).
It will be very nice to submit your changes and correction for other
environments to RT/openssl or if you prefer send them diectly to me to
update the pkcs#11 engine patch.

Thanks,
Afchine
- Original Message -
From: " via RT" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, December 16, 2002 9:47 AM
Subject: [openssl.org #11] Fw: trustway pkcs11 engine for openssl


>
> It's so nice that someone provided pkcs11 enginge patch.
> Thanks a lot, Afchine Madjlessi...
>
> However I have one problem while compling openssl 0.9.7 beta5 with this
> patch on Windows 2000. I just followed the instructions described
> in "intall.w32" from openssl 0.9.7 beta5:
>
> 1. perl Configure VC-WIN32=> OK
>
> 2. ms\do_ms   => WARNING
>
> D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 16
> libeay  1>ms\l
> ibeay16.def
> Warning: ENGINE_load_pkcs11 does not have a number assigned
>
> D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 32
> libeay  1>ms\l
> ibeay32.def
> Warning: ENGINE_load_pkcs11 does not have a number assigned
>
> 3. nmake -f ms\ntdll.mak   => ERROR
>
> NMAKE : fatal error U1073: don't know how to
> make '.\crypto\engine\hw_pkcs11.c'
> Stop.
>
> Then I move all the source codes from \crypto\engine\pkcs11 to
> \crypto\engine\, and execute nmake -f ms\ntdll.mak again.But it still
> didn't work.
>
> cl /Fotmp32dll\hw_pkcs11.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2
>  /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -
> DWIN32_LEAN_AND_MEAN -DL_END
> IAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -
> DOPENSSL
> _NO_KRB5 -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -
> c .\crypto\engine\hw_pkcs11.c
> hw_pkcs11.c
> .\crypto\engine\hw_pkcs11.c(13) : fatal error C1083: Cannot open
> include file: '
> unistd.h': No such file or directory
> NMAKE : fatal error U1077: 'cl' : return code '0x2'
> Stop.
>
>
> Could anyone fix this problem? Thanks very much...
>
>
>
> [guest - Fri Dec 13 15:23:00 2002]:
>
> > Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5
> > This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the
> > CC2000 Bull TrustWay hardware. If needed, I can provide also the
> patch
> > to use with mod_ssl and some tools to create and sign certificate
> > requests.
> > In this new release of the pkcs#11 engine, I have added just the
> > rsa_generate_key in the RSA_METHOD. This call permit to generate and
> > put the private key in the crypto hardware. load_private_key and
> > load_public_key engine calls are also added to this engine.
> > All the PKCS#11 function calls are done through C_GetFunctionList. So
> > the engine could be used with different pkcs#11 and token libraries.
> > There is also a possibility to use a remote crypto box.
> >
> > Afchine Madjlessi
> > __
> > [EMAIL PROTECTED]
> > Bull TrustWay R&D
> > http://www.servers.bull.com/trustway
> >
>
>

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread via RT 

It's so nice that someone provided pkcs11 enginge patch.
Thanks a lot, Afchine Madjlessi...

However I have one problem while compling openssl 0.9.7 beta5 with this 
patch on Windows 2000. I just followed the instructions described 
in "intall.w32" from openssl 0.9.7 beta5:

1. perl Configure VC-WIN32=> OK

2. ms\do_ms   => WARNING 

D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 16 
libeay  1>ms\l
ibeay16.def
Warning: ENGINE_load_pkcs11 does not have a number assigned

D:\Program\OCSP\OpenSSL\openssl-0.9.7-beta5>perl util\mkdef.pl 32 
libeay  1>ms\l
ibeay32.def
Warning: ENGINE_load_pkcs11 does not have a number assigned

3. nmake -f ms\ntdll.mak   => ERROR

NMAKE : fatal error U1073: don't know how to 
make '.\crypto\engine\hw_pkcs11.c'
Stop.

Then I move all the source codes from \crypto\engine\pkcs11 to 
\crypto\engine\, and execute nmake -f ms\ntdll.mak again.But it still 
didn't work.

cl /Fotmp32dll\hw_pkcs11.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2
 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -
DWIN32_LEAN_AND_MEAN -DL_END
IAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -
DOPENSSL
_NO_KRB5 -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -
c .\crypto\engine\hw_pkcs11.c
hw_pkcs11.c
.\crypto\engine\hw_pkcs11.c(13) : fatal error C1083: Cannot open 
include file: '
unistd.h': No such file or directory
NMAKE : fatal error U1077: 'cl' : return code '0x2'
Stop.


Could anyone fix this problem? Thanks very much...



[guest - Fri Dec 13 15:23:00 2002]:

> Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5
> This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the 
> CC2000 Bull TrustWay hardware. If needed, I can provide also the 
patch 
> to use with mod_ssl and some tools to create and sign certificate 
> requests.
> In this new release of the pkcs#11 engine, I have added just the 
> rsa_generate_key in the RSA_METHOD. This call permit to generate and 
> put the private key in the crypto hardware. load_private_key and 
> load_public_key engine calls are also added to this engine.
> All the PKCS#11 function calls are done through C_GetFunctionList. So 
> the engine could be used with different pkcs#11 and token libraries.
> There is also a possibility to use a remote crypto box.
> 
> Afchine Madjlessi
> __
> [EMAIL PROTECTED]
> Bull TrustWay R&D 
> http://www.servers.bull.com/trustway
> 


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-12-16 Thread via RT 

It's so nice that someone provided pkcs11 enginge patch.
Thanks, Afchine Madjlessi...

However I have one problem while compling openssl 0.9.7 beta5 with this 
patch on Windows 2000. I just followed the intructions described 
in "intall.w32" from openssl 0.9.7 beta5:

1. perl Configure VC-WIN32 => OK
2. ms\do_ms
3. nmake -f ms\ntdll.mak







[guest - Fri Dec 13 15:23:00 2002]:

> Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5
> This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the 
> CC2000 Bull TrustWay hardware. If needed, I can provide also the 
patch 
> to use with mod_ssl and some tools to create and sign certificate 
> requests.
> In this new release of the pkcs#11 engine, I have added just the 
> rsa_generate_key in the RSA_METHOD. This call permit to generate and 
> put the private key in the crypto hardware. load_private_key and 
> load_public_key engine calls are also added to this engine.
> All the PKCS#11 function calls are done through C_GetFunctionList. So 
> the engine could be used with different pkcs#11 and token libraries.
> There is also a possibility to use a remote crypto box.
> 
> Afchine Madjlessi
> __
> [EMAIL PROTECTED]
> Bull TrustWay R&D 
> http://www.servers.bull.com/trustway
> 


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] pkcs11 engine for openssl

2002-12-13 Thread via RT 

here is the patch for mod_ssl
Afchine Madjlessi
__
[EMAIL PROTECTED]
Bull TrustWay R&D 
http://www.servers.bull.com/trustway
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] pkcs11 engine for openssl 0.9.7

2002-12-13 Thread via RT 

Here you have the patch for pkcs11 engine for openssl 0.9.7 beta5
This engine has been tested with apache 1.3.27 mod_ssl 2.8.12 and the 
CC2000 Bull TrustWay hardware. If needed, I can provide also the patch 
to use with mod_ssl and some tools to create and sign certificate 
requests.
In this new release of the pkcs#11 engine, I have added just the 
rsa_generate_key in the RSA_METHOD. This call permit to generate and 
put the private key in the crypto hardware. load_private_key and 
load_public_key engine calls are also added to this engine.
All the PKCS#11 function calls are done through C_GetFunctionList. So 
the engine could be used with different pkcs#11 and token libraries.
There is also a possibility to use a remote crypto box.

Afchine Madjlessi
__
[EMAIL PROTECTED]
Bull TrustWay R&D 
http://www.servers.bull.com/trustway

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] TrustWay pkcs11 engine for openssl for openssl-engine-0.9.6.h

2002-12-13 Thread via RT 


Please find attached the patch file for pkcs11 engine for openssl-
engine-0.9.6h.
I will post the patch for openssl-0.9.7-beta5 in a separate mail.

Afchine Madjlessi
__
[EMAIL PROTECTED]
Bull TrustWay R&D 
http://www.servers.bull.com/trustway
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-09-09 Thread via RT 


You can find attached the Bull Trustway PKCS#11 patch for openssl-
engine-0.9.6g. 
Afchine Madjlessi
__
[EMAIL PROTECTED]
Bull - Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] pkcs11 engine for openssl (Bull trustway)

2002-09-09 Thread via RT 


I've made some improvements in the Bull trustway pkcs#11 engine to be 
more generic.
In this release, PKCS#11 functions are called through the functions 
list rather than specific calls directly to PKCS#11 functions. So it 
is possible to point it to any PKCS#11 shared library renamed 
libpkcs11.so on Linux.
A new flag, RSA_FLAG_GEN_KEY is added to RSA_method to allow the use 
of the additionnal entries (rsa_generate_key, 
i2d/d2i_RSAPrivate/PublicKey) for crypto cards which can generate and 
store keys. 
PKCS#11 engine is added in crypto/engine/pkcs11. In the crypto code, 
rsagen & d2i/i2dRSAPublic/PrivateKey functions can be redirected to 
the the PKCS11 engine when RSA_FLAG_GEN_KEY is defined by the engine.
This PKCS#11 engine identifier is "pkcs11" rather than trustway in the 
last release.
I've tested this engine with apache-mod_ssl & cc2000 Bull crypto card 
on Linux. It have been tested also on Win32.
Cheers,
Afchine Madjlessi
__
[EMAIL PROTECTED]
Bull - Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-06-18 Thread Geoff Thorpe via RT 


Hi there,

Just a couple of thoughts on this ticket [#11]..

[[EMAIL PROTECTED] - Thu May 30 17:39:08 2002]:

> "Richard Levitte via RT" <[EMAIL PROTECTED]> writes:
> 
> > 1. could this engine be considered a general PKCS#11 engine, or are
> > there specific ties to Trustway.  I'd prefer to see a general
> > PKCS#11 engine.
> 
> This engine is a general PKCS#11 engine. I tested it first with the
> PKCS#11 library developped by Lutz Behnke (libgpkcs11.so) and
> its software token (libceay_tok.so). It is possible to make a general
> PKCS#11 engine and just put specific ties, if any, for multiple hardwares.
> In Trustway case, the only specific tie is the name of PKCS#11 library
> to load and some controls added when loading it.
> Our code depends on gpkcs11 include files (cryptoki.h, pkcs11.h, ...);
> it is possible to add them to our patch.

It would be great to have a generic pkcs#11 ENGINE going into the base
openssl source, certainly moreso than having a new one added for each
particular implementation/token type. W.r.t. requiring different
controls, well yes - that's the whole point of having string-based
controls for ENGINEs, it lets the user/admin get any kind of settings
through to any kind of ENGINE without OpenSSL having to understand it
all. With Steve's recent work on (auto)configuration through
openssl.cnf, arbitrary controls can be specified for loading/configuring
ENGINEs on initialisation. For a generic "pkcs11" ENGINE, one of these
controls of course would identify the library/driver/token/location of
the corresponding device.

> > 2. Those extra functions in the RSA method, are they really needed?
> > I understand that they provide a lot of automagic things, but then
> > it should be added in the ENGINE framework as something that would
> > be potentially available for any hardware (that supports that extra
> > functionality).  Also, when it comes to loading keys, the current
> > modus operandi is to explicitely use the ENGINE key loading
> > functions rather than having some implicit functionality going on.
> > The reason is that we'd prefer not to surprise the users too much.
> 
> The Bull Trustway CC2000 isn't only a cryptographic accelerator card,
> it is a high level security hardware providing key generation and storage
> in secure memory. That's why we can't use ENGINE key loading functions.
> Yes those extra functions are really needed when using this kind of
> hardware.

I'm not convinced - the nCipher support in OpenSSL works fine with their
HSM keys. As for adding key generation and/or key-loading changes to
*generic* parts of OpenSSL - I would much prefer we keep that issue
orthogonal to the ENGINE implementations for now. Adding/changing
ENGINEs is a localised process with virtually zero regression risk.
Meddling with generic code risks affecting oodles of apps and users who
don't even care about ENGINEs, hardware, etc. And yes I agree, they
don't know what they're missing out on, but nonetheless we need to treat
ENGINE development differently to how we approach changing non-ENGINE APIs.

Anyhow - right now it makes sense for hardware key-generation to be
handled by external hardware-specific utilities. The possible
configuration requirements for arbitrary hardware is too vague to define
in general terms, for now at least, and people using hardware need to
have hardware-specific drivers and support software anyhow - so why not
put hardware-specific key-gen utils in there with that?

NB: That's not to say that some of the other points aren't important - I
agree completely that it would be useful for RSA "classes" (ie. ENGINE
implementations of RSA_METHOD) to have their own key-gen callback. For
one thing, this would make it possible to have hardware-generated (and
perhaps hardware-protected too) keys used as ephemeral/temporary keys in
SSL/TLS cipher-suites. However that would immediately require that the
ENGINE knows how to generate "generic" keys because you cannot possibly
ask the admin to enter a smart-card and/or PIN when an in-progress SSL
handshake needs an ephemeral key ... general hardware key generation
could require anything the manufacturer manages to dream up; biometrics,
smart cards, PINs, luck, and other equally useful tools of the trade (no
cynicism, of course:-).

Could you possibly resubmit a non-intrusive version of your pkcs11
engine implementation (ie. without changing other openssl code) and I'll
look at integrating it. That at least will give us a base of code in the
CVS snapshots for us and everyone else to work from. Perhaps a bit
further down the line, we could look at opening up a independant ticket
and discussion about changes to the OpenSSL APIs (extending RSA_METHOD,
etc), but I don't think they need affect PKCS11 support for now.

Cheers,
Geoff

-- 

Geoff Thorpe, RT/openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-06-10 Thread afchine madjlessi 

>
> "Richard Levitte via RT" <[EMAIL PROTECTED]> wrote:
> > 2. Those extra functions in the RSA method, are they really needed?
> > I understand that they provide a lot of automagic things, but then
> > it should be added in the ENGINE framework as something that would
> > be potentially available for any hardware (that supports that extra
> > functionality).  Also, when it comes to loading keys, the current
> > modus operandi is to explicitely use the ENGINE key loading
> > functions rather than having some implicit functionality going on.
> > The reason is that we'd prefer not to surprise the users too much.
> >
> "Afchine Madjlessi" <[EMAIL PROTECTED] > wrote
> The Bull Trustway CC2000 isn't only a cryptographic accelerator card,
> it is a high level security hardware providing key generation and storage
> in secure memory. That's why we can't use ENGINE key loading functions.
> Yes those extra functions are really needed when using this kind of
> hardware.
>
You can find below a sample to generate and store key pair when using
openssl-engine over trustway PKCS#11 card.
#
# create certificate request, sign it -> server certificate
# (an RSA key pair is generated)
#

# 1. making a CA certificate

# CA-trustway.sh -newca

#

openssl req -engine trustway -config ../openssl.cnf \

-new -x509 -keyout ./demoCA/private/cakey.pem \

-out =./demoCA/cacert.pem -days 365

#

# 2. create a certificate request

# CA-trustway.sh -newreq

#

openssl req -engine trustway -config ../openssl.cnf -new \

-keyout newkey.pem -out newreq.pem -nodes -days 365
#

# 3.create a certificate request

# CA-trustway.sh -signreq

#

openssl ca -engine trustway -config ../openssl.cnf \

-policy policy_anything -out newcert.pem -infiles newreq.pem


afchine
__
[EMAIL PROTECTED]
Bull Technologies - Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway







__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-31 Thread afchine madjlessi 



Zoran,
could you please send me source code of Eracom 
PKCS11 engine for openssl?
regards
__[EMAIL PROTECTED]Bull 
Technologies -Trustway R&D - Networking & Securityhttp://www.servers.bull.com/trustway
 
 

  - Original Message - 
  From: 
  Zoran Radenkovic 
  With Eracom PKCS11 engine we 
  tried to work in boundaries defined with engine API with minimal impact on 
  openssl core code base. As well we wanted to have "key handling" transparent 
  to application build up on openssl (not need to change source and rebuild 
  application). Problem of 
  key generation is not simple as generate key in a HSM. What if you already 
  have a key approved from CA and want to put in HSM. That if you have key on 
  multiple smart card in multi custodian key-management environment …, or you 
  want to generate key but you want to have key components back-up in smart 
  cards, protected by different pins. This is the reason (for time being – while 
  openssl come up with it's own model), we decoupled "HSM key" generation from 
  "openssl key" generation. Our user has key generation utility which covers all 
  aspects mentioned above, and openssl utilities are used "to tell" that 
  corresponding keys are stored on HSM. Cheers, Zoran

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-31 Thread afchine madjlessi 


"Steven Bade" <[EMAIL PROTECTED]> wrote

> We generate all keys within our "tokens" Some tokens such as the
> 4758 keep all the token objects within the secure boundary, and rely on
> the proper PKCS#11 attributes to control selection, keys generated stay
> within the FIPS4 boundary.  Others which are accelerators, still use the
> PKCS#11 key generation calls (or object creation functions which could
> be done with the 4758 as well, but then these objects really can't be
> marked as NEVER_EXTRACTABLE because their origin is not really known or
> can be trusted).
>
>
> I don;t remember exactly what the Trustway patch added, but it would be
> nice to allow for engine specific key generation to be used through the
> normal key generation paths, as well as allow for normal calls to be
> used to instantiate the CERT within the PKCS#11 token
>

The trustway patch added is for openssl-engine, so when you're using openssl
with -engine trustway argument key generation is done through our PKCS#11
engine, otherwise the "normal key generation path"  is always available and
can
be used without problem.
__
[EMAIL PROTECTED]
Bull Technologies - Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-31 Thread Zoran Radenkovic 

>> "Steven Bade <[EMAIL PROTECTED]>
>> I'm not sure about the second question, but we found that the eracom
>> engine submission was much more generic.   When one of my co-workers
>> tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway
>> module there were many issues, as well as specific calls directly to
>> PKCs#11 functions rather than through the function list.   If I remember
>> correctly the Eracom submission from last year was much more generic and
>> we had to do nothing except point it to our shared library...  No
>> requirements for GKPCS11 headers, no direct function calls...
>

> "afchine madjlessi" <[EMAIL PROTECTED]>
>I think that in the case of Eracom card, keys are generated by an external way.
>Trustway card generates and stores keys, it's the reason of changes in the RSA methods.
>If needed, I can add the include files in the patch, so it doesn't require to get gpkcs11 headers.

With Eracom PKCS11 engine we tried to work in boundaries defined with engine API with minimal impact on openssl core code base. As well we wanted to have "key handling" transparent to application build up on openssl (not need to change source and rebuild application).

Problem of key generation is not simple as generate key in a HSM. What if you already have a key approved from CA and want to put in HSM. That if you have key on multiple smart card in multi custodian key-management environment …, or you want to generate key but you want to have key components back-up in smart cards, protected by different pins.

This is the reason (for time being – while openssl come up with it's own model), we decoupled "HSM key" generation from "openssl key" generation. Our user has key generation utility which covers all aspects mentioned above, and openssl utilities are used "to tell" that corresponding keys are stored on HSM. 

Cheers,
Zoran

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread Steven Bade 

We generate all keys within our "tokens" Some tokens such as the 
4758 keep all the token objects within the secure boundary, and rely on 
the proper PKCS#11 attributes to control selection, keys generated stay 
within the FIPS4 boundary.  Others which are accelerators, still use the 
PKCS#11 key generation calls (or object creation functions which could 
be done with the 4758 as well, but then these objects really can't be 
marked as NEVER_EXTRACTABLE because their origin is not really known or 
can be trusted).


I don;t remember exactly what the Trustway patch added, but it would be 
nice to allow for engine specific key generation to be used through the 
normal key generation paths, as well as allow for normal calls to be 
used to instantiate the CERT within the PKCS#11 token

BTW, afchine, I for some reason always get 2 copies of ALL your posts to 
the mailing list...

afchine madjlessi wrote:

>  "Steven Bade" <[EMAIL PROTECTED]> writes:
> 
> 
>>I'm not sure about the second question, but we found that the eracom
>>engine submission was much more generic.   When one of my co-workers
>>tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway
>>module there were many issues, as well as specific calls directly to
>>PKCs#11 functions rather than through the function list.   If I remember
>>correctly the Eracom submission from last year was much more generic and
>>we had to do nothing except point it to our shared library...  No
>>requirements for GKPCS11 headers, no direct function calls...
>>
>>
> 
> I think that in the case of Eracom card, keys are generated by an external
> way.
> Trustway card generates and stores keys, it's the reason of changes in the
> RSA methods.
> If needed, I can add the include files in the patch, so it doesn't require
> to get gpkcs11
> headers.
> 
> afchine
> 
> 


-- 
Steven A. Bade
UNIX Network Security Cryptographic Strategy and Development Architecture
[EMAIL PROTECTED]
T/L 678-4799
(512)-838-4799

--
To convert from Hogsheads to Cubic Feet - Multiply by 8.4219

"Two-way communication is necessary to proactively facilitate acceptance
and involvement and to get insights about the journey it takes to get where
we want"

this mess is so big and so bad and so tall,
we cannot clean it up, there is no way at all
(Cat in the Hat)



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread afchine madjlessi 

 "Steven Bade" <[EMAIL PROTECTED]> writes:

> I'm not sure about the second question, but we found that the eracom
> engine submission was much more generic.   When one of my co-workers
> tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway
> module there were many issues, as well as specific calls directly to
> PKCs#11 functions rather than through the function list.   If I remember
> correctly the Eracom submission from last year was much more generic and
> we had to do nothing except point it to our shared library...  No
> requirements for GKPCS11 headers, no direct function calls...
>

I think that in the case of Eracom card, keys are generated by an external
way.
Trustway card generates and stores keys, it's the reason of changes in the
RSA methods.
If needed, I can add the include files in the patch, so it doesn't require
to get gpkcs11
headers.

afchine

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread 


"Richard Levitte via RT" <[EMAIL PROTECTED]> writes:

>
> I've just started looking at this, and I've got a couple of
> questions:
>
> 1. could this engine be considered a general PKCS#11 engine, or are
> there specific ties to Trustway.  I'd prefer to see a general
> PKCS#11 engine.
>

This engine is a general PKCS#11 engine. I tested it first with the
PKCS#11 library developped by Lutz Behnke (libgpkcs11.so) and
its software token (libceay_tok.so). It is possible to make a general
PKCS#11 engine and just put specific ties, if any, for multiple hardwares.
In Trustway case, the only specific tie is the name of PKCS#11 library
to load and some controls added when loading it.
Our code depends on gpkcs11 include files (cryptoki.h, pkcs11.h, ...);
it is possible to add them to our patch.

> 2. Those extra functions in the RSA method, are they really needed?
> I understand that they provide a lot of automagic things, but then
> it should be added in the ENGINE framework as something that would
> be potentially available for any hardware (that supports that extra
> functionality).  Also, when it comes to loading keys, the current
> modus operandi is to explicitely use the ENGINE key loading
> functions rather than having some implicit functionality going on.
> The reason is that we'd prefer not to surprise the users too much.
>

The Bull Trustway CC2000 isn't only a cryptographic accelerator card,
it is a high level security hardware providing key generation and storage
in secure memory. That's why we can't use ENGINE key loading functions.
Yes those extra functions are really needed when using this kind of
hardware.

afchine




__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread afchine madjlessi 

"Richard Levitte via RT" <[EMAIL PROTECTED]> writes:

>
> I've just started looking at this, and I've got a couple of
> questions:
>
> 1. could this engine be considered a general PKCS#11 engine, or are
> there specific ties to Trustway.  I'd prefer to see a general
> PKCS#11 engine.
>

This engine is a general PKCS#11 engine. I tested it first with the
PKCS#11 library developped by Lutz Behnke (libgpkcs11.so) and
its software token (libceay_tok.so). It is possible to make a general
PKCS#11 engine and just put specific ties, if any, for multiple hardwares.
In Trustway case, the only specific tie is the name of PKCS#11 library
to load and some controls added when loading it.
Our code depends on gpkcs11 include files (cryptoki.h, pkcs11.h, ...);
it is possible to add them to our patch.

> 2. Those extra functions in the RSA method, are they really needed?
> I understand that they provide a lot of automagic things, but then
> it should be added in the ENGINE framework as something that would
> be potentially available for any hardware (that supports that extra
> functionality).  Also, when it comes to loading keys, the current
> modus operandi is to explicitely use the ENGINE key loading
> functions rather than having some implicit functionality going on.
> The reason is that we'd prefer not to surprise the users too much.
>

The Bull Trustway CC2000 isn't only a cryptographic accelerator card,
it is a high level security hardware providing key generation and storage
in secure memory. That's why we can't use ENGINE key loading functions.
Yes those extra functions are really needed when using this kind of
hardware.

afchine




__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread Richard Levitte - VMS Whacker 

In message <[EMAIL PROTECTED]> on Thu, 30 May 2002 08:01:55 -0500, 
Steven Bade <[EMAIL PROTECTED]> said:

sbade> I'm not sure about the second question, but we found that the eracom 
sbade> engine submission was much more generic.   When one of my co-workers 
sbade> tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway 
sbade> module there were many issues, as well as specific calls directly to 
sbade> PKCs#11 functions rather than through the function list.   If I remember 
sbade> correctly the Eracom submission from last year was much more generic and 
sbade> we had to do nothing except point it to our shared library...  No 
sbade> requirements for GKPCS11 headers, no direct function calls...

I think I have the eracom variant in my archives, so I'll take a
look...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread Steven Bade 

I'm not sure about the second question, but we found that the eracom 
engine submission was much more generic.   When one of my co-workers 
tried to get our PKCS#11 libraries (openCryptoki) used by the Trustway 
module there were many issues, as well as specific calls directly to 
PKCs#11 functions rather than through the function list.   If I remember 
correctly the Eracom submission from last year was much more generic and 
we had to do nothing except point it to our shared library...  No 
requirements for GKPCS11 headers, no direct function calls...

Richard Levitte via RT wrote:

> I've just started looking at this, and I've got a couple of 
> questions:
> 
> 1. could this engine be considered a general PKCS#11 engine, or are 
> there specific ties to Trustway.  I'd prefer to see a general 
> PKCS#11 engine.
> 
> 2. Those extra functions in the RSA method, are they really needed?  
> I understand that they provide a lot of automagic things, but then 
> it should be added in the ENGINE framework as something that would 
> be potentially available for any hardware (that supports that extra 
> functionality).  Also, when it comes to loading keys, the current 
> modus operandi is to explicitely use the ENGINE key loading 
> functions rather than having some implicit functionality going on.  
> The reason is that we'd prefer not to surprise the users too much.
> 
> 


-- 
Steven A. Bade
UNIX Network Security Cryptographic Strategy and Development Architecture
[EMAIL PROTECTED]
T/L 678-4799
(512)-838-4799

--
To convert from Hogsheads to Cubic Feet - Multiply by 8.4219

"Two-way communication is necessary to proactively facilitate acceptance
and involvement and to get insights about the journey it takes to get where
we want"

this mess is so big and so bad and so tall,
we cannot clean it up, there is no way at all
(Cat in the Hat)



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #11] Fw: trustway pkcs11 engine for openssl

2002-05-30 Thread Richard Levitte via RT 


I've just started looking at this, and I've got a couple of 
questions:

1. could this engine be considered a general PKCS#11 engine, or are 
there specific ties to Trustway.  I'd prefer to see a general 
PKCS#11 engine.

2. Those extra functions in the RSA method, are they really needed?  
I understand that they provide a lot of automagic things, but then 
it should be added in the ENGINE framework as something that would 
be potentially available for any hardware (that supports that extra 
functionality).  Also, when it comes to loading keys, the current 
modus operandi is to explicitely use the ENGINE key loading 
functions rather than having some implicit functionality going on.  
The reason is that we'd prefer not to surprise the users too much.

-- 
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pkcs11 engine for openssl

2002-04-23 Thread afchine madjlessi 



Based on openssl-engine-0.9.6c, we have developed a new engine which 
allowsopenssl applications and Apache-mod_ssl servers to use through a 
PKCS#11interface the security functions provided by the Bull trustway cc2000 
cryptographiccard, taking advantage of key storage in secure memory and 
acceleration ofRSA and random functions.RSA keys are introduced using 
PKCS#11 C_GenerateKeyPair standard function.To be able to use the openssl 
commands allowing to generate and handle RSAkeys, the trustway engine 
introduces 4 additionnal entries in the RSA method:    
-  rsa_generate_key    -  
i2d_RSAPrivateKey    -  
d2i_RSAPrivateKey    -  d2i_RSAPublicKeyOther RSA 
methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc,rsa_sign, rsa, 
rsa_verify) are available.The Trustway (PKCS#11) engine identifier is 
"trustway".The server certificate must be created as using the trustway 
engine, inorder to generate the corresponding  RSA key pair directly in 
the cryptocard. These keys are CKA_TOKEN (permanent). A modified version 
ofopenssl CA.sh, "CA-trustway.sh" does that.Temporary RSA keys are 
created through the application (mod_ssl i.e.) bycalling the trustway 
engine. Obviously, these keys are CKA_SESSION(temporary). As they are 
session objects, they are destroyed when thePKCS#11 session is closed when 
the process terminates.The functions which initialize and terminate the 
engine library take chargeof loading and unloading the PKCS#11 shared 
library. Ours is based on"gpkcs11".PKCS#11 C_Initialize function is 
called just once.For a given process, each RSA cryptographic operation 
carried out by theengine uses the same PKCS#11 session.Two patch files 
openssl-engine-0.9.6c-tw.patch andmod_ssl-2.8.8-1.3.24-tw.patch are provided 
to be applied to openssl-engineand modssl. The new engine code is in the 
file "hw_trustway.c". Someinstallation, and configuration procedures are 
also provided in our release.This development is tested on a Linux machine 
with a cc2000 cryptoaccelerator which increases raw server throughput to 400 
requests 
persecond.Afchine__[EMAIL PROTECTED]Bull 
Trustway R&D - Networking & Securityhttp://www.servers.bull.com/trustway__OpenSSL 
Project 
http://www.openssl.orgDevelopment 
Mailing 
List   
[EMAIL PROTECTED]Automated 
List 
Manager   
[EMAIL PROTECTED]


mod_ssl-2.8.8-1.3.24-tw.patch
Description: Binary data


openssl-engine-0.9.6c-tw.patch
Description: Binary data