Menu
▾
▴
[Opensc-devel] ECDSA, engine_pkcs11, libp11 and OpenSSL
|
From: Douglas E. E. <dee...@an...> - 2013-09-19 20:32:07
|
Modifications to engine_pkcs11 and libp11 to support ECDSA are available at github for testing, and I am looking for comments. https://github.com/dengert/libp11 https://github.com/dengert/engine_pkcs11 These can be used with OpenSC-0.13.0 and OpenSSL > 1.0.0 and have been tested using OpenSSL-1.0.1e both with and without modifications for OpenSSL bug report #2459. (See below.) As interest in ECDSA and PKCS#11 has increased over the last few months, I have sent out modifications developed in 2011 to a number of people, including Sanaullah, who reported he has the older modifications working to allow OpenSSL to generate certificate requests using EC keys and signed using the EC key via PKCS#11 with softhsm. I have tested using PIV smart cards that support EC keys. There is also another OpenSSL modification that may be needed if you tryn and use the OpenSSL dgst with the engine and ECDSA. (See the attachment, and the reference to the e-mail from 2010.) Git commit comment for libp11 modification: Experimental ECDSA support Support for ECDSA is added for used with OpenSSL > 1.0.0. OpenSSL has an outstanding bug report, #2459, that requests the structure ecdsa_method be exposed. An engine needs to create such a structure which internal to OpenSSL is static, which has pointers into functions within the engine. Engines using RSA do not have this problem, because the rsa_method_st is exposed in rsa.h This allows an engine such as the combination of libp11 and engine_pkcs11 to compile in a static version of the rsa_method_st. Modifications have been submitted to OpenSSL at the suggestion of the OpenSSL developers to add a set of functions to build a ecdsa_method structure and to set the needed functions into the structure. These libp11 modifications are designed to allow building libp11 using either the internal OpenSSL crypto/ecdsa/ecs_locl.h or the new ECDSA_METHOD_new function in ecdsa.h By default the ECDSA_METHOD_new will be used if present. To build using the ecs_locl.h, one must have access to the OpenSSL source and add to the libp11 build process, -DBUILD_WITH_ECS_LOCL_H -I/<path.to.OpenSSL.source>/crypto/edcsa (Note: that using an internal header file may require libp11 to be rebuilt to match the specific version of OpenSSL being used, and may not work in future versions.) Once the OpenSSL modifications for #2459 are accepted libp11 will be changed to remove the old method. The intent of this dual build it to allow people to use ECDSA even if OpenSSL does not implement ECDSA_METHOD_new or does not implement it in the near future. -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
