[openssl-users] External hardware for SSL handshake (overriding PreMasterSecret decrypt)

Jakob Bohm jb-openssl at wisemo.com
Wed May 27 14:08:52 UTC 2015

On 27/05/2015 15:26, Pavel Abramov wrote:
> Hi,
> I have a task to use external Security Module to perform RSA functions in my WEB-server (nginx/httpd using OpenSSL for HTTPS).
> The goal is to store Server private key components and establish SSL Handshake using Hardware module. It is not an SSL hardware accelerator.
> This device has proprietary API (binary protocol over TCP/UDP, a few commands like "generate RSA key pair", "premaster decrypt using key#123").
> What is the easiest way to do it? Will be very grateful for keywords/advices.
> Should I write my ENGINE ? Or is there any other way?
> I need only 2 functions to perform using hardware:
> - RSA key generation (private component will be saved in hardware module)
> - PreMaster decrypt from client during SSL handshake
> How to override only these 2 functions?
If there is a generic engine wrapping pkcs11 or a similar
API, it may or may not be easier to implement (or reuse
if already provided) a hardware specific pkcs11 (or
similar) driver.

I am unsure if there is or is not a well maintained
pkcs11 engine for OpenSSL, either in the OpenSSL project
or elsewhere.  Maybe the opensc project has one, but I
don't know if that would be general or specific to opensc
pkcs11 drivers.

Keywords to search for:
pkcs11, pkcs11 engine, opensc project, openssl engine.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150527/87e3acf9/attachment.html>

More information about the openssl-users mailing list