Maciej Grzymkowski
2014-09-09 18:49:07 UTC
Hi everyone,
Firstly, I'm a beginner in the OpenSSL world. I apologize in advance for
any basic, barbaric errors. Also not quite sure if it's OK to ask here, if
not - please disregard it. I've asked this question on stackoverflow as
well.
Consider a flow:
- Initialize OpenSSL with engine using hardware (let's call it EngineHW).
- Call an OpenSSL function, e.g. X509_sign.
1. How to check if the function called was performed on the hardware?
(seems engine specific)
2. How to verify the EngineHW function was called?
3. What if the function is not defined by EngineHW - will OpenSSL fallback
to any default engine it has? (related to two)
The question is related to asserting quality - since I've got the hardware
to do crypto for me, I consider using software implementation an error (at
least for the important/heavy functions).
It seems easy to check for operations requiring keys - those do not leave
the HSM. But cert checking, RAND, hashing, and so on?
Best regards,
Maciej G.
Firstly, I'm a beginner in the OpenSSL world. I apologize in advance for
any basic, barbaric errors. Also not quite sure if it's OK to ask here, if
not - please disregard it. I've asked this question on stackoverflow as
well.
Consider a flow:
- Initialize OpenSSL with engine using hardware (let's call it EngineHW).
- Call an OpenSSL function, e.g. X509_sign.
1. How to check if the function called was performed on the hardware?
(seems engine specific)
2. How to verify the EngineHW function was called?
3. What if the function is not defined by EngineHW - will OpenSSL fallback
to any default engine it has? (related to two)
The question is related to asserting quality - since I've got the hardware
to do crypto for me, I consider using software implementation an error (at
least for the important/heavy functions).
It seems easy to check for operations requiring keys - those do not leave
the HSM. But cert checking, RAND, hashing, and so on?
Best regards,
Maciej G.