> From: jb-open...@wisemo.com
> I seem to recall there was/is an engine to use an device with a
> PKCS#11 ("p11") driver dll, on any OS. If this is so, you may
> be able to use many kinds of existing devices, including Gemalto
> or Oberthur smartcards (if those are safe enough).
>
> However my latest attempts to use this died due to bugs in
> M.U.S.C.L.E. opensc which made it not work with M.U.S.C.L.E.
> cards, but bugs may have been fixed since then.
>
> --
> Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.comThanks Jakob. Digging into my old notes, it seems the driver you are refeing might just be what i managed to get to work with C:\>openssl OpenSSL> engine -t dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_A DD:1 -pre LOAD -pre MODULE_PATH:cps_pkcs11_w32.dll (dynamic) Dynamic engine loading support [Success]: SO_PATH:engine_pkcs11 [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:cps_pkcs11_w32.dll Loaded: (pkcs11) pkcs11 engine [ available ] And then instead of using -key mykeyfile.pem as a parameter to openssl tools it would be instead -engine pkcs11 -inkey 01000000 -keyform engine However, back then 1) i think i remember windows dll was proprietary and very specific to the smartcards i was using. 2) i found out this trick by accident, months after putting in production a solution based on java. so the -engine was just a proof of concept for me 3) i would rather have windows off topic here, see below is all this what you are refering to ? > From: mmolt...@cisco.com > The only providers of crypto smart cards I know are for OpenPGP, they are european and I use their smart card, I am happy with. Although it seems that the smartcard doesn't support directly OpenSSL, I think they might give you valuable information. http://www.g10code.de/ > > thanks > marco Thanks Marco. I'll have a look as well > From: st...@openssl.org > What is the OS? If it is Windows you can use the CryptoAPI ENGINE and any > hardware that has a CryptoAPI CSP. > > Steve. Thanks Steve. The OS for now is linux. It wouldn't be that hard to switch to Windows as most of the code is cross platform (mostly thanks to openssl btw ;)). However, since the operation is somehow sensitive, i would feel very uncomfortable to be coerced into switching back to Windows for that. It is that very reason (peace of mind) that makes me want to stick with openssl. I know it, i trust it, its very name makes worries go away. Now that I look at my first post, i have not mentionned it but it would be very nice to be FIPS 140-3 compliant here. However, after some googling around i have the feeling I'll have to drop that idea. But if someone can prove me wrong here, please let me know. thanks alex ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
