Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Openssl, engine_pkcs11, libp11/OpenSC

Tags:

openssl

pkcs#11

opensc

Friends, I have a smart card, which I want to integrate OpenSSL. Plan to do this through a system of "ENGINE" in OpenSSL. However, I have a problem with understanding. The fact that there are such things as engine_pkcs11, opensc, libp11, pkcs11-helper. Can anyone explain the relationship? What is and what to compile in the first place?

Is it enough to write me a library with external PKCS # 11 functions to connect it to openssl? I have to take the source code of the library engine_pkcs11 and modify it to fit my card? Do I need this opensc, libp11, pkcs11-helper? Why, then, need these libraries?

Also, I should note that the smart card does not support RSA-algorithm, it will be a different algorithm!!!!

Really looking forward to your answers!

like image 584
user1650740 Avatar asked Oct 18 '13 18:10

user1650740

People also ask

What is libp11?

libp11 is a helper library designed to make it easier to use PKCS#11 in applications without having to program to the PKCS#11 API.

Does OpenSSL support pkcs11?

OpenSSL HSM SupportOpenSSL does not have native support for PKCS#11. It can provide PKCS#11 support through the OpenSC's project pkcs11 engine (formerly known as engine_pkcs11 ). As such software intended to use HSMs, must utilize that engine.

What is pkcs11 engine?

PKCS11 (Public-Key Cryptography Standards), also known as “Cryptoki” or PKCS#11, is an API used to communicate with cryptographic security tokens such as smart cards, USB keys, and Hardware Security Modules (HSMs).

1 Answers

The openssl engine for pkcs#11 by OpenSC is needed to make interaction between openssl and smartcard by pkcs#11 possible.

The engine is built on top of libp11 by OpenSC, an abstraction/wrapper layer/interface, built on pkcs#11 standard API for utility purpose.

From top to bottom we have:

  • openssl (by Openssl)
  • openssl pkcs#11 engine (by OpenSC)
  • libp11 (by OpenSC)
  • pkcs#11 standard api (by RSA Laboratories)
  • pkcs#11 module (by Smartcard vendor)

So in an optimum case you have only to write the pkcs#11 module for you specific smartcard hardware and then load it using pkcs#11 engine.

The problem here is that pkcs#11 engine, at the moment, support only CKM_RSA_PKCS, so, probably, you have also to extend the current pkcs#11 openssl engine.

More info at https://github.com/OpenSC/OpenSC/wiki

like image 105
lgaggini Avatar answered Sep 18 '22 17:09

lgaggini
Sign in to Comment

Related questions

Generate PEM or CER file from the text of a public key
Specify days (expire date) for generated self-signed certificate with openssl
Handshake Failure: SSL Alert number 40
OpenSSL: RSA Encryption/Decryption, key generation & key persistance
Shopify + Ubuntu 12.04LTS + Faraday issue = OK to use older OpenSSL?
How to specify the key password using javax.net.ssl?
Is AWS, specifically the load balancer service affected by SSL "Heart Bleed" exploit? [closed]
Ruby - unsupported cipher algorithm (AES-256-GCM)
Extract public key from EVP_PKEY keypair?
OpenSSL CocoaPod iOS with Bitcode?
PHP - Replacing mcrypt_create_iv() with openssl_random_pseudo_bytes()
Boost, asio, https, and host/certificate verifcation
iOS Push notification sending error
install openssl-devel on Mac
JWT (JSON Web Token) in C++ using boost and openssl bug
How to programmatically create a Certificate Signing Request (CSR)?
Generation of private key using des3 gets stuck
OpenSSL SSL_read Failure (error:00000005:lib(0):func(0):DH lib)
Get the key parameter is not a valid public key error in openssl_public_encrypt()
OpenSSL i2o_ECPublicKey not working

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!