PKCS#11 engine patch for OpenSSL
In this blog entry I would like to give you some information about PKCS#11 engine we ship with OpenSSL in Solaris and about the PKCS#11 patch we created using publicly available OpenSolaris code. PKCS#11 is an API defining a generic interface to cryptographic tokens. This API was choosed for communication between providers and consumers of Solaris Cryptographic Framework.
OpenSSL PKCS#11 engine enables OpenSSL to make use of Crypto Framework which means that you can make use of hardware/software providers you plug in to the framework. For example that way you can use RSA/DSA hardware accelerator built into the UltraSPARC T1 processor, aka Niagara. See ncp(7d) for more information. Using the PKCS#11 engine has an advantage over engines shipped with original version of OpenSSL with respect to that you don't have to worry about what exact crypto provider is there. If you can plug it into the framework it's fine. That's also the reason why we ship just this PKCS#11 engine and not other ones.
People were asking about this code to be released as a patch. So, some months ago I made PKCS#11 patch for 0.9.7d version which I tested on Linux; other systems should be fine, too. Of course, you need PKCS#11 backend to be able to use it there. Many Linux distributions are already shipped with such a backend called openCryptoki that also provides a software provider.
We have received some feedback where people asked this patch to be upgraded to support latest OpenSSL versions since there were several security vulnerabilities found after 0.9.7d was released. So I upgraded that patch to support latest 'el' release in 0.9.7 branch. Thanks to OpenSSL project you can find all patches in their Contribution section. I put README.pkcs11 online for your convenience. There is no support from Sun for these patches, of course. However, if you find problems with them please let me know and I will try to fix it.
There is no patch for 0.9.8x yet, we would like to rewrite the engine so that it's a dynamic one. That means that due to US export control we must verify that every engine we ship with Solaris is properly signed and check the signature before we load it. When this work is done we release PKCS#11 patch for latest 0.9.8x at that time.
Posted by Derek Morr on October 30, 2006 at 10:55 PM CET #
Posted by Rainer Jung on November 01, 2006 at 12:43 AM CET #
to Derek: 192/256 algorithms are not in S10/OpenSolaris by default yet, you need SUNWcry* packages for that. It's import issues, not export. There is currently a project to remove those packages and ship all the stuff by default since those import restrictions went away some time ago. When that is done I guess I will update the code to include it.
to Rainer: probably not in the near future, I had a short discussion with one of OpenSSL guys but they are pretty busy. I also didn't see any requests for PKCS#11 engine in OpenSSL mailing lists. You may ping those lists if you really like to see it there.
there are no licensing issues.
Posted by Jan on November 01, 2006 at 04:04 PM CET #
Posted by Dennis Gilmore on April 02, 2007 at 06:47 PM CEST #
It seems that some readers mis-interpreted this entry in terms of support. Let me state (as Darren Moffat did in another blog entry) that Sun FULLY supports the binary version of OpenSSL PKCS#11 engine shipped with (Open)Solaris (which is logical because it is part of ON consolidation which forms the core of Solaris OS). If you compile your own OpenSSL version with the 'pkcs11_engine' patch then it's NOT supported by Sun.
Posted by Vladimir Kotal on June 03, 2008 at 03:09 PM CEST #