Solaris serviceability and nifty tools

OpenSSL PKCS#11 engine presentation

Some light intro first: OpenSSL has a concept of plugins/add-ons called 'engines'
which can supply alternative
implementation of crypto operations (digests, symmetric and asymmetric ciphers and random data generation).
The main reason for the existence of the engines is the ability to offload crypto ops to hardware.
(Open)Solaris ships with an engine called PKCS#11 engine which provides access to
Solaris Cryptographic
which in turn can provide access to HW crypto.

I spent some time fixing bugs in OpenSSL PKCS#11 engine in Solaris so I got quite intimate with its internals.
Recently while discussing an upcoming feature with Jan he asked me why one
particular detail in the engine is done one way and not the other (it's the fork() detection not done via atfork
handlers; for the curious). It took me some thinking to find the answer (I focused on the other changes at that time)
which made us realize that it would be good to summarize the design choices behind the engine and also to
document the internals so that others can quickly see what's going on inside and also be able to do changes
in the engine without reverse engineer the thoughts behind it. The outcome is a set of slides which I hope succinctly
describe both the overall picture and the gritty details.

The presentation can be downloaded

Join the discussion

Comments ( 1 )
  • Lonny Niederstadt Saturday, April 24, 2010


    Thanks for any help you can give to a fairly new administrator finding lots of developer-friendly documentation, but not yet finding the resources which would be very helpful to admins.

    How can I bring the results of the two systems below into agreement?

    I was expecting to find engine and pkcs11 sections in openssl.cnf which explained the different results on the systems, but the openssl.cnf files I found did not have engine or pkcs11 sections). I didn't see relevent differences in /etc/crypto/kcf.conf either.

    I am hoping to remove PKCS #11 support for openssl AES-128-CBC on the one system.

    /usr/sfw/bin/openssl version

    OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)

    /usr/sfw/bin/openssl engine -c -t

    (pkcs11) PKCS #11 engine support


    [ available ]

    /usr/sfw/bin/openssl version

    OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2008-5077 CVE-2009-0590)

    /usr/sfw/bin/openssl engine -c -t

    (pkcs11) PKCS #11 engine support

    [RSA, DSA, DH, RAND]

    [ available ]


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.