RSA Keys by Reference (through the OpenSSL PKCS#11 Engine)
By janp on Nov 11, 2009
UPDATE 2009-11-19: I have generated the PKCS#11 patch for 0.9.8l.
I have just done my putback to the SFW gate for the "RSA Keys by Reference"
project. It will be part of the Nevada build 129 and the next version of
OpenSolaris. The CR was "6479874
OpenSSL should support RSA key by reference/hardware
keystores". With this code, applications can access RSA keys stored in PKCS#11
tokens through the existing OpenSSL API functions
ENGINE_load_public_key(), without any need for the private keys to
be loaded to memory. The code was based on alpha code I
wrote more than 2 years ago, and which was quickly part of
the PKCS#11 patch. The code was really alpha, more proof of concept that
something usable in the production environment. It took me another couple of months to
mold it into the current form that could be commited to the repository.
Part of the project was a specification of the PKCS#11 URI. Unfortunately I do not have many cycles right now for this blog entry so if you are interested or if you have any questions, please read slides I wrote for the project presentation I gave here at Sun to our team. It has enough details and a few examples. I'm sure I'll get back here with some multithreaded C code and possibly more information.
There is no patch available yet against the regular OpenSSL tarball distribution. I need some time to take care of other stuff I did not have time for recently because I have been finishing up this project. I'd like to generate it soon though.