You might use the Network Security Services (NSS) library. It's accredited against FIPS 140-2 (Federal Information Processing Standards), and I hear if you use it properly, your application can inherit that accreditation. This may become more important to you as time goes on. NSS does the same sorts of things OpenSSL does, but easily supports PKCS#11 modules, and CoolKey provides such a module. (It's via NSS -> PKCS#11 -> Coolkey that Firefox supports CACs, for example.) NSS's home page is at http://www.mozilla.org/projects/security/pki/nss/ See also http://fedoraproject.org/wiki/FedoraCryptoConsolidation I'm pretty sure that the CAC doesn't directly implement or make available all of the capabilities you would expect; some of these are emulated in the CoolKey PKCS#11 module. You might read <http://curl.haxx.se/lxr/source/lib/nss.c> comparing with <http://curl.haxx.se/lxr/source/lib/ssluse.c> as a (fairly) simple example of NSS usage. NSS is a layer of abstraction between you and PKCS#11 modules. I'm sure some people use PKCS#11 directly, but I don't know anything about that route. _______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
