Menu
▾
▴
Re: [Opensc-devel] [WIP PATCH] Add support for standard PKCS#11 URIs to ENGINE_PKCS11
|
From: Douglas E E. <dee...@gm...> - 2014-12-10 15:00:54
|
On 12/10/2014 8:44 AM, David Woodhouse wrote: > On Wed, 2014-12-10 at 07:52 -0600, Douglas E Engert wrote: >> If you think there is a need for this, then get it working and submit a pull request. >> >> The issue with OpenSSL and engines that use keys other then RSA is still a show stopper >> for future engine development. I was looking for someone outside OpenSC to push >> OpenSSL to put some effort into the issue: >> >> http://rt.openssl.org/Ticket/Display.html?id=2568 > > I still think that the easier option is to get the PKCS#11 engine merged > *into* OpenSSL, and then we don't have to care about visibility of > private headers. OpenSSL is the last major crypto library that doesn't > have PKCS#11 support. Easier? Have you every dealt with the OpenSSL developers? > >> Without that adding URI support for only RSA maybe a wasted effort. > > Not entirely. It is still a problem that software in modern > distributions is using anything *other* than the (soon to be) standard > PKCS#11 URI format for identifying objects in PKCS#11. > > I've just submitted a pull request for pkcs11-helper which makes OpenVPN > behave properly. > > Fixing ENGINE_PKCS11 would at least allow us to fix the bizarreness of > the user-facing configuration of things like wpa_supplicant which do > currently use it for RSA keys. And would allow it to be used from other > things like my OpenConnect VPN client. The lack of EC support isn't > entirely a showstopper, although I agree it's a pain. > > -- Douglas E. Engert <DEE...@gm...> |
