Openssl, engine_pkcs11, libp11/OpenSC

Question

Friends, I have a smart card, which I want to integrate OpenSSL. Plan to do this through a system of "ENGINE" in OpenSSL. However, I have a problem with understanding. The fact that there are such things as engine_pkcs11, opensc, libp11, pkcs11-helper. Can anyone explain the relationship? What is and what to compile in the first place?

Is it enough to write me a library with external PKCS # 11 functions to connect it to openssl? I have to take the source code of the library engine_pkcs11 and modify it to fit my card? Do I need this opensc, libp11, pkcs11-helper? Why, then, need these libraries?

Also, I should note that the smart card does not support RSA-algorithm, it will be a different algorithm!!!!

Really looking forward to your answers!

Answer 1

The openssl engine for pkcs#11 by OpenSC is needed to make interaction between openssl and smartcard by pkcs#11 possible.

The engine is built on top of libp11 by OpenSC, an abstraction/wrapper layer/interface, built on pkcs#11 standard API for utility purpose.

From top to bottom we have:

• openssl (by Openssl)
• openssl pkcs#11 engine (by OpenSC)
• libp11 (by OpenSC)
• pkcs#11 standard api (by RSA Laboratories)
• pkcs#11 module (by Smartcard vendor)

So in an optimum case you have only to write the pkcs#11 module for you specific smartcard hardware and then load it using pkcs#11 engine.

The problem here is that pkcs#11 engine, at the moment, support only CKM_RSA_PKCS, so, probably, you have also to extend the current pkcs#11 openssl engine.

More info at https://github.com/OpenSC/OpenSC/wiki