Menu
▾
▴
Re: [Opensc-devel] Relation between engine_pkcs11 and openssl
|
From: Petr P. <pet...@at...> - 2015-01-01 10:24:46
|
On Thu, Jan 01, 2015 at 02:26:02PM +0530, sarat wrote: > 1) Why is engine_pkcs11? How it related with openssl? > > 2) I can do card personalization using pkcs15-tool init commands, so > why should I need to install engine_pkcs11? > > 3) Is anywhere engine_pkcs11 is related to OpenSC or it is specific to > Openssl? > engine_pkcs11 is a plug-in for the OpenSSL. OpenSSL implements various cipher, digest, and signing features and it can consume and produce keys. However plenty of people think that these features should be implemented in a separate hardware, like USB tokens, smart cards or hardware security modules. Therefore OpenSSL has an abstraction layer called engine which can delegate some of these features to different piece of software or hardware. OpenSSL comes with a few engines for some hardware or software security modules, like for IBM RSA module or Windows CryptoAPI. (See OpenSSL sources and "openssl engine -t" command output). The engines can be built statically into the OpenSSL library or they can be built as separate plug-in. Third party engines has to be always built as plug-ins. One of these plug-ins is the engine_pkcs11. The engine_pkcs11 is an OpenSSL engine which provides a gateway between PKCS#11 modules and the OpenSSL engine API. One has to register the engine into the OpenSSL and one has to provide path to a PKCS#11 module which should be gatewayed to. (This can be done in the OpenSSL configuration file.) PKCS#11 module is again a plug-in which implements PKCS#11 API and the purpose of the API is to provide some cryptograpic features like key storage, key generation, signing, digesting, encyphering etc. The PKCS#11 API is something like the OpenSSL engine API. PKCS#11 API is a standard and it's supported by various hardware and software vendors. Usually, hardware vendor provides a propriatary PKCS#11 module for his cryptographic device and a cryptogrographic library, like NSS or GnuTLS, can use it to access the hardware. Now comes OpenSC which aims to replace the proprietary PKCS#11 modules by accessing the hardware directly (or indirectly via other software like pscs-lite). Thefore OpenSC provides an PKCS#11 module called opensc-pkcs11 which encapsulted OpenSC into PKCS#11 API which allows to plug the OpenSC into into any software supporting PKCS#11. Unfortunatelly, OpenSSL does not support PKSC#11 (yet). OpenSSL has the engine API only (like Windows have CryproAPI). Therefore the engine_pkcs11 exists which encapsulated PKCS#11 into the OpenSSL engine API. > 4) Is there anyway engine_pkcs11 is related to pkcs15-init? > PKCS#15 is a storage format for smart cards. While it provides more features than PKCS#11 can do, it's still possible to use majority of the features of a PKCS#15 card via PKCS#11 API. So OpenSC allows that. -- Petr |
