HSM/engine/SmartCard for OpenVMS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

HSM/engine/SmartCard for OpenVMS

Francesco Gennai
I need to sign e-mail messages in OpenVMS environment
by a signing device (SmartCard, HSM, other...)

Is there any solution to use a signing device with OpenSSL in
OpenVMS environment ?

Regards,
Francesco
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HSM/engine/SmartCard for OpenVMS

Richard Levitte - VMS Whacker
In message <[hidden email]> on Sun, 26 Mar 2006 00:51:54 +0100, Francesco Gennai <[hidden email]> said:

francesco.gennai+openssl> I need to sign e-mail messages in OpenVMS
francesco.gennai+openssl> environment by a signing device (SmartCard,
francesco.gennai+openssl> HSM, other...)
francesco.gennai+openssl>
francesco.gennai+openssl> Is there any solution to use a signing
francesco.gennai+openssl> device with OpenSSL in OpenVMS environment?

Yes, you need to build a shareable image that implements a OpenSSL
engine to interface with the device.  That sort of engine translates
OpenSSL crypto and hash algorithm calls to whatever the device needs
to perform its job properly.

Unfortunately, the best documentation is the source.  Look in
crypto/engine/, engines/ and demos/engines/rsaref/ .  The last one was
written specifically to show how it's done (or at least how it can be
done :-)).

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HSM/engine/SmartCard for OpenVMS

Francesco Gennai


Richard Levitte - VMS Whacker wrote:

>
> In message <[hidden email]> on Sun, 26 Mar 2006 00:51:54 +0100, Francesco Gennai <[hidden email]> said:
>
> francesco.gennai+openssl> I need to sign e-mail messages in OpenVMS
> francesco.gennai+openssl> environment by a signing device (SmartCard,
> francesco.gennai+openssl> HSM, other...)
> francesco.gennai+openssl>
> francesco.gennai+openssl> Is there any solution to use a signing
> francesco.gennai+openssl> device with OpenSSL in OpenVMS environment?
>
> Yes, you need to build a shareable image that implements a OpenSSL
> engine to interface with the device.  That sort of engine translates
> OpenSSL crypto and hash algorithm calls to whatever the device needs
> to perform its job properly.
>
> Unfortunately, the best documentation is the source.  Look in
> crypto/engine/, engines/ and demos/engines/rsaref/ .  The last one was
> written specifically to show how it's done (or at least how it can be
> done :-)).
>

Richard,
thank you for the pointers.

I would get some more information before to start the next step
in our development.

At this point of our project we have a system that
signs messages by using a private key stored on the harddisk.

The system runs on OpenVMS OS and uses OpenSSL libraries for
the signing process.

Now we need to move the private key to a signing device.

We could use also an expensive solution, like an HSM, but
we would know about existing experiences, and about
products: SmartCard models and producers and/or HSM models and
producers that have been already used in OpenSSL/OpenVMS environment
or that, accordingly to your experiences, could be tested.

Thank you.

Regards,
Francesco


> Cheers,
> Richard
>
> -----
> Please consider sponsoring my work on free software.
> See http://www.free.lp.se/sponsoring.html for details.
>
> --
> Richard Levitte                         [hidden email]
>                                         http://richard.levitte.org/
>
> "When I became a man I put away childish things, including
>  the fear of childishness and the desire to be very grown up."
>                                                 -- C.S. Lewis
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HSM/engine/SmartCard for OpenVMS

Richard Levitte - VMS Whacker
In message <[hidden email]> on Sun, 26 Mar 2006 20:22:48 +0200, Francesco Gennai <[hidden email]> said:

francesco.gennai+openssl> thank you for the pointers.

You're welcome.

francesco.gennai+openssl> Now we need to move the private key to a
francesco.gennai+openssl> signing device.

Uhmm, you do know that most devices will not import a private key, and
will instead have a couple of predefined ones or will allow you to
create news ones, right?

francesco.gennai+openssl> We could use also an expensive solution,
francesco.gennai+openssl> like an HSM, but we would know about
francesco.gennai+openssl> existing experiences, and about products:
francesco.gennai+openssl> SmartCard models and producers and/or HSM
francesco.gennai+openssl> models and producers that have been already
francesco.gennai+openssl> used in OpenSSL/OpenVMS environment or that,
francesco.gennai+openssl> accordingly to your experiences, could be
francesco.gennai+openssl> tested.

I would have a chat with the OpenSC (http://www.opensc-project.org/)
guys, as they've already written an engine module that interfaces
pkcs11 libraries.  There are a few other implementations floating
in our contrib area as well.

Cheers,
Richard

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HSM/engine/SmartCard for OpenVMS

Francesco Gennai


Richard Levitte - VMS Whacker wrote:

>
> In message <[hidden email]> on Sun, 26 Mar 2006 20:22:48 +0200, Francesco Gennai <[hidden email]> said:
>
> francesco.gennai+openssl> thank you for the pointers.
>
> You're welcome.
>
> francesco.gennai+openssl> Now we need to move the private key to a
> francesco.gennai+openssl> signing device.
>
> Uhmm, you do know that most devices will not import a private key, and
> will instead have a couple of predefined ones or will allow you to
> create news ones, right?

Oh, yes.
I'm sorry, because my sentence "...to move the private key..." wasn't
exact.
We can start with any new private key.

>
> francesco.gennai+openssl> We could use also an expensive solution,
> francesco.gennai+openssl> like an HSM, but we would know about
> francesco.gennai+openssl> existing experiences, and about products:
> francesco.gennai+openssl> SmartCard models and producers and/or HSM
> francesco.gennai+openssl> models and producers that have been already
> francesco.gennai+openssl> used in OpenSSL/OpenVMS environment or that,
> francesco.gennai+openssl> accordingly to your experiences, could be
> francesco.gennai+openssl> tested.
>
> I would have a chat with the OpenSC (http://www.opensc-project.org/)
> guys, as they've already written an engine module that interfaces
> pkcs11 libraries.  There are a few other implementations floating
> in our contrib area as well.

Thank you again for the pointers.

Regards,
Francesco

>
> Cheers,
> Richard
>
> --
> Richard Levitte                         [hidden email]
>                                         http://richard.levitte.org/
>
> "When I became a man I put away childish things, including
>  the fear of childishness and the desire to be very grown up."
>                                                 -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]