Menu
▾
▴
Re: [Opensc-devel] [WIP PATCH] Add support for standard PKCS#11 URIs to ENGINE_PKCS11
|
From: David W. <dw...@in...> - 2014-12-10 14:45:02
|
On Wed, 2014-12-10 at 07:52 -0600, Douglas E Engert wrote: > If you think there is a need for this, then get it working and submit a pull request. > > The issue with OpenSSL and engines that use keys other then RSA is still a show stopper > for future engine development. I was looking for someone outside OpenSC to push > OpenSSL to put some effort into the issue: > > http://rt.openssl.org/Ticket/Display.html?id=2568 I still think that the easier option is to get the PKCS#11 engine merged *into* OpenSSL, and then we don't have to care about visibility of private headers. OpenSSL is the last major crypto library that doesn't have PKCS#11 support. > Without that adding URI support for only RSA maybe a wasted effort. Not entirely. It is still a problem that software in modern distributions is using anything *other* than the (soon to be) standard PKCS#11 URI format for identifying objects in PKCS#11. I've just submitted a pull request for pkcs11-helper which makes OpenVPN behave properly. Fixing ENGINE_PKCS11 would at least allow us to fix the bizarreness of the user-facing configuration of things like wpa_supplicant which do currently use it for RSA keys. And would allow it to be used from other things like my OpenConnect VPN client. The lack of EC support isn't entirely a showstopper, although I agree it's a pain. -- dwmw2 |
