On 27/05/2015 15:26, Pavel Abramov wrote: > Hi, > > I have a task to use external Security Module to perform RSA functions in my WEB-server (nginx/httpd using OpenSSL for HTTPS). > The goal is to store Server private key components and establish SSL Handshake using Hardware module. It is not an SSL hardware accelerator. > > This device has proprietary API (binary protocol over TCP/UDP, a few commands like "generate RSA key pair", "premaster decrypt using key#123"). > > What is the easiest way to do it? Will be very grateful for keywords/advices. > Should I write my ENGINE ? Or is there any other way? > > I need only 2 functions to perform using hardware: > - RSA key generation (private component will be saved in hardware module) > - PreMaster decrypt from client during SSL handshake > > How to override only these 2 functions? If there is a generic engine wrapping pkcs11 or a similar API, it may or may not be easier to implement (or reuse if already provided) a hardware specific pkcs11 (or similar) driver. I am unsure if there is or is not a well maintained pkcs11 engine for OpenSSL, either in the OpenSSL project or elsewhere. Maybe the opensc project has one, but I don't know if that would be general or specific to opensc pkcs11 drivers. Keywords to search for: pkcs11, pkcs11 engine, opensc project, openssl engine. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150527/87e3acf9/attachment.html>
