OpenSSL PKCS#11 engine presentation

Some light intro first: OpenSSL has a concept of plugins/add-ons called 'engines' which can supply alternative implementation of crypto operations (digests, symmetric and asymmetric ciphers and random data generation). The main reason for the existence of the engines is the ability to offload crypto ops to hardware. (Open)Solaris ships with an engine called PKCS#11 engine which provides access to Solaris Cryptographic Framework which in turn can provide access to HW crypto.

I spent some time fixing bugs in OpenSSL PKCS#11 engine in Solaris so I got quite intimate with its internals. Recently while discussing an upcoming feature with Jan he asked me why one particular detail in the engine is done one way and not the other (it's the fork() detection not done via atfork handlers; for the curious). It took me some thinking to find the answer (I focused on the other changes at that time) which made us realize that it would be good to summarize the design choices behind the engine and also to document the internals so that others can quickly see what's going on inside and also be able to do changes in the engine without reverse engineer the thoughts behind it. The outcome is a set of slides which I hope succinctly describe both the overall picture and the gritty details.

The presentation can be downloaded here.

Comments:

Hello,

Thanks for any help you can give to a fairly new administrator finding lots of developer-friendly documentation, but not yet finding the resources which would be very helpful to admins.

How can I bring the results of the two systems below into agreement?

I was expecting to find engine and pkcs11 sections in openssl.cnf which explained the different results on the systems, but the openssl.cnf files I found did not have engine or pkcs11 sections). I didn't see relevent differences in /etc/crypto/kcf.conf either.

I am hoping to remove PKCS #11 support for openssl AES-128-CBC on the one system.

/usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
/usr/sfw/bin/openssl engine -c -t
(pkcs11) PKCS #11 engine support
[RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, AES-128-CBC, RC4, MD5, SHA1]
[ available ]

/usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2008-5077 CVE-2009-0590)
/usr/sfw/bin/openssl engine -c -t
(pkcs11) PKCS #11 engine support
[RSA, DSA, DH, RAND]
[ available ]

-Lonny

Posted by Lonny Niederstadt on April 24, 2010 at 11:19 PM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

blog about security and various tools in Solaris

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today