PKCS#11 engine patch update for OpenSSL 0.9.8h
I've updated the PKCS#11 patch to the latest OpenSSL 0.9.8h version. It's rather a big update. During the last few months, Vladimir, Darren and me did some work on the PKCS#11 engine source code. The result is a bunch of fixed CRs that are now all integrated into OpenSolaris, and that means they are covered by this patch as well:
6602801 PK11_SESSION cache has to employ reference counting
scheme for asymmetric key operations
6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not
called atomically
6607307 pkcs#11 engine can't read RSA private keys
6652362 pk11_RSA_finish() is cutting corners
6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
suboptimal way
6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
resilient to destroy failures
6667273 OpenSSL engine should not use free() but
OPENSSL_free()
6670363 PKCS#11 engine fails to reuse existing symmetric keys
6678135 memory corruption in pk11_DH_generate_key() in pkcs#11
engine
6678503 DSA signature conversion in pk11_dsa_do_verify()
ignores size of big numbers leading to failures
6706562 pk11_DH_compute_key() returns 0 in case of failure
instead of -1
6706622 pk11_load_{pub,priv}key create corrupted RSA key
references
6707129 return values from BN_new() in pk11_DH_generate_key()
are not checked
6707274 DSA/RSA/DH PKCS#11 engine operations need to be
resistant to structure reuse
6707782 OpenSSL PKCS#11 engine pretends to be aware of
OPENSSL_NO_{RSA,DSA,DH} defines but fails miserably
6709966 make check_new_*() to return values to indicate cache
hit/miss
6705200 pk11_dh struct initialization in PKCS#11 engine is
missing generate_params parameter
6709513 PKCS#11 engine sets IV length even for ECB modes
6728296 buffer length not initialized for
C_(En|De)crypt_Final() in the PKCS#11 engine
6728871 PKCS#11 engine must reset global_session in
pk11_finish()
And also some enhancements:
6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512 6685012 OpenSSL pkcs#11 engine needs support for new cipher modes 6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric ciphers and digests
On my Vaio installed with latest Nevada code, using patched OpenSSL command:
openssl engine -vvv -t -cI can see this PKCS#11 section, slightly formatted manually:
(pkcs11) PKCS #11 engine support
[RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
AES-256-ECB, BF-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5,
SHA1, SHA256, SHA384, SHA512]
[ available ]
SO_PATH: Specifies the path to the 'pkcs#11' shared library
(input flags): STRING
Note that this patch DOES NOT include the changes for accessing RSA keys by reference. I got some reports about various issues with that code (thanks to all who wrote me!) but didn't have any time to take a look at them yet - ENOTIME. If you really want that original code I'm sure you can apply those changes from the previous patch, and as soon as I take a look at that code again I'll release a new version of the patch. I just don't want to publish code that doesn't work properly.
The patch file is pkcs11_engine-0.9.8h.patch.2008-07-29, and as usual you can read here the README file that is part of the patch.
UPDATE (2008-07-30) if you need to use this patch on Solaris, change #undef SOLARIS_HW_SLOT_SELECTION line in crypto/engine/hw_pk11.c file to #define SOLARIS_HW_SLOT_SELECTION, and do it before building the code, of course. I forgot to make that automatic.
Interesting post, I have also seen http://developers.sun.com/appserver/reference/techart/keymgmt.html , it would be great to have a new blog entry explaining how to configure GlassFish to store certificates in the Sun Crypto Card 6000 , on Solaris 10 and Linux.
Posted by Steve Pincaud on September 02, 2008 at 11:57 AM CEST #
Steve, I know close to nothing about GlassFish but AFAIK it doesn't use OpenSSL at all so quite probably you won't find the entry you are looking for on this blog :-)
Posted by Jan on September 02, 2008 at 12:07 PM CEST #