Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Implementing CA operations with private keys in HSM

50 views
Skip to first unread message

Frederik Mennes

unread,
Nov 21, 2009, 10:46:31 AM11/21/09
to

Hi all,

 

I am currently building a CA using the OpenSSL crypto library. Private keys will be stored inside an HSM. Therefore I’m considering the EVP interface as it allows using an engine towards an HSM.

 

Examples of operations involving private keys that need to be supported are:

  1. Signing a given message
  2. Signing an X.509 certificate
  3. Signing a PKCS #10 certificate request
  4. Signing an OCSP response message

Example (1) is easy to support using the EVP_Sign functions.

 

However the three other examples are more complicated. For example 1, the x509_sign() function does not work with private keys inside an HSM, and the EVP interface does not have functions for signing an X.509 certificate.

 

What would be the best way to implement examples 1-3 using OpenSSL?

 

One way would be to alter the functions in the crypto library. I could, for instance, alter x509_sign() so that it talks to the HSM. But would that be the most appropriate?

 

Thanks in advance.

 
--
Frederik Mennes
Security Architect
 
VASCO Data Security
Koningin Astridlaan 164
B-1780 Wemmel, Belgium

Dr. Stephen Henson

unread,
Nov 21, 2009, 12:52:43 PM11/21/09
to
On Sat, Nov 21, 2009, Frederik Mennes wrote:

> Hi all,
>
>
>
> I am currently building a CA using the OpenSSL crypto library. Private keys
> will be stored inside an HSM. Therefore I'm considering the EVP interface as
> it allows using an engine towards an HSM.
>
>
>
> Examples of operations involving private keys that need to be supported are:
>

> 1. Signing a given message 2. Signing an X.509 certificate 3. Signing a
> PKCS #10 certificate request 4. Signing an OCSP response message


>
> Example (1) is easy to support using the EVP_Sign functions.
>
>
>
> However the three other examples are more complicated. For example 1, the
> x509_sign() function does not work with private keys inside an HSM, and the
> EVP interface does not have functions for signing an X.509 certificate.
>

They can all be supported.

OpenSSL provides an ENGINE interface where an EVP_PKEY can be loaded from an
HSM. That key can then be used in the same way as a non-HSM key.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages