PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Francis Dupont
Francis.Dupont at fdupont.fr
Mon Feb 15 13:49:56 UTC 2010
In your previous mail you wrote:
As I understand it, in sign-only mode, the HSM is only used for "encrypt
the hash with the private key", and the CPU is used for hashing the data
and decrypting with the public key.
=> exactly in sign-only mode the engine provides as services:
- RSA_sign() in RSA methods
- load_privkey() and load_pubkey() (used by ENGINE_load_private_key()
and ENGINE_load_public_key())
- RAND (random) methods when supported
Note only RSA_sign() and load_privkey() are strictly required (see PSs).
Regards
Francis.Dupont at fdupont.fr
PS: load_pubkey() is needed because some PKCS11 providers don't return the
whole public part of the RSA key pair with the private part as you can expect
when you know in RSA the public key is fully included in the private key...
PPS: as most (i.e, all I know) HSMs provide a RNG (random number generator)
it should be silly to not take benefit of it.
More information about the bind-workers
mailing list