Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL

[Alon Bar-L. <alo...@gm...>]

On 26 February 2016 at 16:19, David Woodhouse <dw...@in...> wrote:

> It would be really useful if OpenSSL *included* support for PKCS#11 as
> a first class citizen.
>
> This would mean that it could be natively incorporated into higher
> level APIs such as SSL_CTX_use_certificate() and friends. Basically any
> API that can take a filename to reference a certificate, should also be
> able take a RFC7512 PKCS#11 URI.
>
> This would also allow us to use a coherent trust database from PKCS#11,
> which solves the problem of which *purposes* we trust each CA for,
> unlike the existing flat-file solutions.
>
> And applications would no longer need to jump through additional hoops
> and have additional dependencies to get PKCS#11 support; we could make
> it largely Just Work™, like it does for example with GnuTLS.
>
>
>
What you seek is actually NSS.
This won't happen, ever.
Even if it will happen, libp11 is not the right implementation of doing
that.
I have experience in working with openssl codebase and it won't be extended
to support such specific implementation.
There was the opencryptoki project, that was the closest one of doing that
without adding any code to openssl.
What you should ask first from openssl developers is to extend their engine
concept to support keystore concept.
Then, at least, integration with openssl will be easier.