Elliptic-Curve Cryptography for Solaris [PSARC/2007/446 Self Review]
Krishna Yenduri
bhargava.yenduri at sun.com
Thu Aug 2 11:03:20 PDT 2007
Mark Powers wrote:
>>> 3.6. How will you know when you are done?:
>>> When we can use pkcs11 on Apache for ECC.
>>>
>>
>> Does this mean this project will modify OpenSSL PKCS #11 engine to
>> add the support for ECC mechanisms? You might want to test with Sun Java
>> System web server too.
>
> Perhaps I'm naive, but I thought by offering ECC mechanisms in libpkcs11
> and telling the webserver to use pkcs11, that everything would work.
No. It does not.
Apache web server depends on the OpenSSL PKCS #11 engine to be able
to use libpkcs11. This means we have to extend the engine for the new
ECC mechanisms, for Apache to work.
>>>
>>> Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA,
>>> CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE.
>>
>> I assume this list is for the softtoken library. What mechanisms will
>> the kernel
>> ecc software provider support?
>
> Same mechanisms and curves as in the softtoken library.
We don't need the CKM_EC_KEY_PAIR_GEN mechanism in kernel land, if
it helps.
-Krishna
More information about the opensolaris-arc
mailing list