Using keys from a hardware accelerator

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Using keys from a hardware accelerator

Alexander Gostrer
Hi All,

I am working on an OpenSSL modification for a hardware accelerator who generates and uses private keys internally without a way to export/import them. The standard OpenSSL approach is to use keys from files. Is there any preferred way to point to keys in the hardware? There is more and more hardware on the market that people want to use directly from the OpenSSL.

Thank you,
Alex Gostrer

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Erwann Abalea-3
You’re looking for ENGINE objects.
There’s maybe already an ENGINE directly supporting your hardware module.
If your hardware thing has a PKCS#11 library, a PKCS#11 ENGINE exists.

Cordialement,
Erwann Abalea



> Le 20 juil. 2015 à 17:14, Alexander Gostrer <[hidden email]> a écrit :
>
> Hi All,
>
> I am working on an OpenSSL modification for a hardware accelerator who generates and uses private keys internally without a way to export/import them. The standard OpenSSL approach is to use keys from files. Is there any preferred way to point to keys in the hardware? There is more and more hardware on the market that people want to use directly from the OpenSSL.
>
> Thank you,
> Alex Gostrer
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Jan Just Keijser-2
In reply to this post by Alexander Gostrer
Hi Alexander,


Alexander Gostrer wrote:
> Hi All,
>
> I am working on an OpenSSL modification for a hardware accelerator who
> generates and uses private keys internally without a way to
> export/import them. The standard OpenSSL approach is to use keys from
> files. Is there any preferred way to point to keys in the hardware?
> There is more and more hardware on the market that people want to use
> directly from the OpenSSL.
>
There is a standard for this, PKCS#11, that is fairly well supported by
OpenSSL. Numerous hardware tokens and smartcards exist that can interact
with OpenSSL (via engine_pkcs11). I have personal experience with
various usb hardware tokens from Feitian and Aladdin/SafeNet. The main
feature of such tokens is that indeed the private key cannot be exported
from the device.


hope this helps,

JJK / Jan Just Keijser

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Alexander Gostrer
In reply to this post by Erwann Abalea-3
Thank you, Erwann.

I'll look into.

Regards,
Alex.

On Mon, Jul 20, 2015 at 8:28 AM, Erwann Abalea <[hidden email]> wrote:
You’re looking for ENGINE objects.
There’s maybe already an ENGINE directly supporting your hardware module.
If your hardware thing has a PKCS#11 library, a PKCS#11 ENGINE exists.

Cordialement,
Erwann Abalea



> Le 20 juil. 2015 à 17:14, Alexander Gostrer <[hidden email]> a écrit :
>
> Hi All,
>
> I am working on an OpenSSL modification for a hardware accelerator who generates and uses private keys internally without a way to export/import them. The standard OpenSSL approach is to use keys from files. Is there any preferred way to point to keys in the hardware? There is more and more hardware on the market that people want to use directly from the OpenSSL.
>
> Thank you,
> Alex Gostrer
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Alexander Gostrer
In reply to this post by Jan Just Keijser-2
Hi Jan,

It definitely helps. I am already looking into this standard.

Thank you,
Alex.

On Mon, Jul 20, 2015 at 8:21 AM, Jan Just Keijser <[hidden email]> wrote:
Hi Alexander,


Alexander Gostrer wrote:
Hi All,

I am working on an OpenSSL modification for a hardware accelerator who generates and uses private keys internally without a way to export/import them. The standard OpenSSL approach is to use keys from files. Is there any preferred way to point to keys in the hardware? There is more and more hardware on the market that people want to use directly from the OpenSSL.

There is a standard for this, PKCS#11, that is fairly well supported by OpenSSL. Numerous hardware tokens and smartcards exist that can interact with OpenSSL (via engine_pkcs11). I have personal experience with various usb hardware tokens from Feitian and Aladdin/SafeNet. The main feature of such tokens is that indeed the private key cannot be exported from the device.


hope this helps,

JJK / Jan Just Keijser

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Alexander Gostrer
Hi Jan, Erwann,

I didn't find any reference to pkcs11 or engine_pkcs11 or cryptoki in the code. The closest thing I see on the master branch are openssl/engines/vendor_defns/hwcryptohook.h, sureware.h, and so on. Is there a special branch for pkcs11? Or I just need to use hwcryptohook.h/sureware.h as a reference code and make my own implementation?

Thank you,
Alex.

On Mon, Jul 20, 2015 at 9:51 AM, Alexander Gostrer <[hidden email]> wrote:
Hi Jan,

It definitely helps. I am already looking into this standard.

Thank you,
Alex.

On Mon, Jul 20, 2015 at 8:21 AM, Jan Just Keijser <[hidden email]> wrote:
Hi Alexander,


Alexander Gostrer wrote:
Hi All,

I am working on an OpenSSL modification for a hardware accelerator who generates and uses private keys internally without a way to export/import them. The standard OpenSSL approach is to use keys from files. Is there any preferred way to point to keys in the hardware? There is more and more hardware on the market that people want to use directly from the OpenSSL.

There is a standard for this, PKCS#11, that is fairly well supported by OpenSSL. Numerous hardware tokens and smartcards exist that can interact with OpenSSL (via engine_pkcs11). I have personal experience with various usb hardware tokens from Feitian and Aladdin/SafeNet. The main feature of such tokens is that indeed the private key cannot be exported from the device.


hope this helps,

JJK / Jan Just Keijser

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

David Woodhouse-7
On Tue, 2015-07-21 at 06:55 -0700, Alexander Gostrer wrote:
>
> I didn't find any reference to pkcs11 or engine_pkcs11 or cryptoki in
> the code. The closest thing I see on the master branch are
> openssl/engines/vendor_defns/hwcryptohook.h, sureware.h, and so on.
> Is there a special branch for pkcs11? Or I just need to use
>  hwcryptohook.h/sureware.h as a reference code and make my own
> implementation?

Unfortunately, PKCS#11 support isn't a part of OpenSSL directly
(although it would be really good to fix that).

The PKCS#11 engine is at https://github.com/OpenSC/engine_pkcs11

A new release is imminent, which allows you to specify certificates and
keys by a PKCS#11 URI (RFC7512) instead of the old format.

On systems where p11-kit exists, it also automatically loads the
appropriate PKCS#11 modules according to the system configuration. So
using it really is as simple as providing the correct PKCS#11 URI for
the cert/key you want.

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using keys from a hardware accelerator

Alexander Gostrer
Thank you, David.
It wasn't obvious :) Let me look into.
Regards,
Alex.


On Tue, Jul 21, 2015 at 7:32 AM, David Woodhouse <[hidden email]> wrote:
On Tue, 2015-07-21 at 06:55 -0700, Alexander Gostrer wrote:
>
> I didn't find any reference to pkcs11 or engine_pkcs11 or cryptoki in
> the code. The closest thing I see on the master branch are
> openssl/engines/vendor_defns/hwcryptohook.h, sureware.h, and so on.
> Is there a special branch for pkcs11? Or I just need to use
>  hwcryptohook.h/sureware.h as a reference code and make my own
> implementation?

Unfortunately, PKCS#11 support isn't a part of OpenSSL directly
(although it would be really good to fix that).

The PKCS#11 engine is at https://github.com/OpenSC/engine_pkcs11

A new release is imminent, which allows you to specify certificates and
keys by a PKCS#11 URI (RFC7512) instead of the old format.

On systems where p11-kit exists, it also automatically loads the
appropriate PKCS#11 modules according to the system configuration. So
using it really is as simple as providing the correct PKCS#11 URI for
the cert/key you want.

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev