RSA Keys by Reference (through the OpenSSL PKCS#11 Engine)

UPDATE 2009-11-19: I have generated the PKCS#11 patch for 0.9.8l.

I have just done my putback to the SFW gate for the "RSA Keys by Reference" project. It will be part of the Nevada build 129 and the next version of OpenSolaris. The CR was "6479874 OpenSSL should support RSA key by reference/hardware keystores". With this code, applications can access RSA keys stored in PKCS#11 tokens through the existing OpenSSL API functions ENGINE_load_private_key() and ENGINE_load_public_key(), without any need for the private keys to be loaded to memory. The code was based on alpha code I wrote more than 2 years ago, and which was quickly part of the PKCS#11 patch. The code was really alpha, more proof of concept that something usable in the production environment. It took me another couple of months to mold it into the current form that could be commited to the repository.

Part of the project was a specification of the PKCS#11 URI. Unfortunately I do not have many cycles right now for this blog entry so if you are interested or if you have any questions, please read slides I wrote for the project presentation I gave here at Sun to our team. It has enough details and a few examples. I'm sure I'll get back here with some multithreaded C code and possibly more information.

There is no patch available yet against the regular OpenSSL tarball distribution. I need some time to take care of other stuff I did not have time for recently because I have been finishing up this project. I'd like to generate it soon though.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today