[OpenCA-Devel] PKCS11 - The disturbing Truth about libp11 and OpenSC!
by Massimiliano Pala
 |
REPLY TO AUTHOR
|
 |
|
|
|
REPLY TO GROUP
|
|
|
Hi all,
I am developing the PKCS#11 driver for LibPKI and I am playing around with
some other code - especially the libp11 which is used by many software:
- OpenSSL's ENGINE for PKCS#11
- OpenSC
When creating the key, the behaviour a user would expect from these driver
is to generate the keypair in the device and then, eventually, export the
public part. However, the libp11 behaves differently. What it really does
is generating the key is software and then import it into the device - which
totally invalidates the assumptions made when using a PKCS#11 device!
Therefore, my advice is: do not use OpenSC + libp11 (for PKCS#11 access) if
you are concerned about the security of your private key!
I will develop an application that will print out the "properties" of
public/private keys in a PKCS#11 device so that you can check out what
the status of your generated keys is - the tool will probably be part
of the LibPKI package.
Later,
Max
Bookmark with:
 Delicious
 Digg
 reddit
 Facebook
 StumbleUpon
Related Messages
opensubscriber is not affiliated with the authors of this message nor responsible for its content.
|
