PKCS#11 engine implementation
Nikolay Elenkov
nick at sarion.co.jp
Thu Mar 4 08:35:09 UTC 2010
On 2010/03/04 3:29, Evan Hunt wrote:
>
>> What version of the original OpenSolaris patch is the openssl-0.9.8l-patch in
>> the 9.7.0 tarball based on?
>
> 2009-03-11.
>
> More specificaly, pkcs11_engine-0.9.8j.patch.2009-03-11, applied to 0.9.8k
> as explained in http://blogs.sun.com/janp/entry/pkcs_11_engine_patch_for1.
Thank you, that makes diff-ing a bit easier.
>
>> What has been changed/added?
>
> Principally:
>
> 1) ability to access key by reference
I've been looking at the BIND 9.7 patch and the 'original' OpenSolaris patch.
The Solaris one has pretty decent key by reference support, but unfortunately it
doesn't currently work with BIND 9.7. I was able to generate keys, but
dnssec-signzone fails to find the private key when signing. I haven't looked to
it in detail (yet), but at least one problem is that opensslrsa_isprivate
doesn't recognize the key as private (looks like RSA_FLAG_EXT_PKEY is not set?).
So how is the key by reference implemented/used in the BIND version? I don't see
a clear distinction between session and token keys.
More information about the bind-users
mailing list