Request for generic engine support

Mccue, Richard Alan richard.mccue at hp.com
Sat May 10 07:25:56 EST 2008


> Can you tell us what the device is and/or what engine you are trying
> to use?

The device is very much like an HSM, probably best to think of it as an
HSM device. If I had to mention precisely what it is or anything unique
about it, I couldn't really call it generic. The engine is also very
very generic, requiring nothing special.

An external OpenSSL engine that handles key encryption/decryption (HSM, etc),
needs just a few common support mechanisms, whether it is implemented
in OpenSSH, an LDAP server, Stunnel, whatever. I use the word 'external'
here to differentiate from the built-in engines, like 'dynamic' that
are included with 0.9.7 and 0.9.8 OpenSSL distributions. An external
engine is one independently developed that the loading application and
OpenSSL have no information about. Hence information to load the engine
must be fetched through configuration keywords. Here's what is basically
needed for an application to use an external engine of this type:

- Load the engine. The Stunnel source is a good example of this. Another
example that I like is the test application that is part of Kent Yoder's
TPM engine available from sourceforge.net. I'm sure there are others.

- Initialize the engine. ENGINE_init() an OpenSSL function, does this. This
leads to the engine substituing its routines for a few of those in the
OpenSSL libcrypto library. This is why utilizing the engine becomes
transparent to the application for an operation like RSA signing.

- Load the file containing the key: ENGINE_load_private_key(3), an
OpenSSL function, does this. If the key of interest is embedded in the
device and not given as an external file, this step is not necessary.


> It sounds like an HSM - if it is then it almost certainly supports
> pkcs11. Using a pkcs11 enabled version of OpenSSH will most likely be
> easier than trying to support every different OpenSSL engine that a
> user might decide to use.

I'll look into pkcs11, it could be useful in some applications. At the
 moment, I don't see it as entirely a replacement though.

Thanks for the suggestion!

- Rich


More information about the openssh-unix-dev mailing list