[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] Re-usable PKCS#10 CSR generation.
From: Martin Paljak <martin () paljak ! pri ! ee>
Date: 2010-05-24 11:24:04
Message-ID: 61F3DAB3-7C03-45E5-BC1B-BB592DC71205 () paljak ! pri ! ee
[Download RAW message or body]
Hello,
On May 21, 2010, at 09:00 , David Hook wrote:
> The mods are probably a bit too low level for what we have to meet.
What do you mean with this? That the modification deals with a too low level of \
bit-tricking, which is not suitable for BC or that the patch does not meet the \
required consistency level to be considered?
> There's been a bit of a discuss about this here as well. If you look at
> some of the things we're currently doing in the CMS API it's pretty
> clear we've stretched the provider architecture as far as it will go.
I'm sorry, I probably lack the context as I've only used BC, never looked under the \
hood before.
> At the moment we're considering creating some interfaces which provide
> the basic operations (such as sign, verify) in a way not dissimilar to
> how the interfaces are defined in the light weight API. This would allow
> us to break things like CMS, PKCS#10 and certificate generation away
> from the actual JCA/JCE. There's a bit of work in this though, and I'd
> certainly be interested in any feedback on the idea that people might
> have.
I have a real life need which I fixed with the mentioned patch. As said, it is easier \
and more logical (IMHO) to provide means for such structure manipulation instead of \
creating a "mini intermediate provider" for the specific case (which, indeed, might \
fit better into the current BC design)
If there's anything I could provide or help with, please let me know, but I currently \
did not understand if the approach is not OK or the specific patch is not OK (for \
lacking docs or some specific checks or something similar)
Thanks,
Martin
>
> Regards,
>
> David
>
> On Thu, 2010-05-20 at 16:17 +0300, Martin Paljak wrote:
> > On May 20, 2010, at 16:12 , Tomas Gustavsson wrote:
> > >
> > > The way I do this is simply by using a java provider that does the off-loading.
> > >
> > > req = new PKCS10CertificationRequest(signAlg, x509dn, keyPair.getPublic(), \
> > > attrset, keyPair.getPrivate(), pkcs11Provider);
> > > I guess your usage is if you don't have a provider and then you can fix the \
> > > signature bits in any way you want?
> > Correct, the private key resides in the smart card and there is no software \
> > interface for this operation yet, as the code is used during card \
> > personalization. Even if it was possible to create a little wrapper provider for \
> > this specific purpose, I would not know from where to start and I don't find it \
> > feasible and the approach with getBitsToSign/setSignedBits works perfectly in \
> > this situation. Also, I think that a "generic" PKCS#10 manipulation interface is \
> > more useful than something that is tied to JCE/JCA.
> >
> >
> >
> >
> > >
> > > /Tomas
> > >
> > > On 05/20/2010 12:50 PM, Martin Paljak wrote:
> >
> >
> >
>
>
>
--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic