[openssl-dev] Ubsec and Chil engines
Jaroslav Imrich
jaroslav.imrich at gmail.com
Mon Feb 22 14:08:16 UTC 2016
On 22 February 2016 at 11:16, Nikos Mavrogiannopoulos <nmav at redhat.com>
wrote:
> That's an implementation detail. As far as I know engine_pkcs11 does
> not require re-authentication after fork. It handles the pkcs11
> peculiarities internally.
>
AFAIK this works by caching the PIN in engine_pkcs11 internally and is OK
for most of the use cases with smartcards. However HSMs usually use more
complex authentication schemes where this approach does not work i.e. in
order to login there must be N of M physical tokens/cards with passwords
presented in a sequence (requires vendor specific extensions when used via
PKCS#11). CHIL engine already handles such schemes very well and does not
need to reauthenticate after fork.
Regards, Jaroslav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160222/fcf8f7cc/attachment.html>
More information about the openssl-dev
mailing list