Re: Public key handle in HSM



1. You cannot DECRYPT a message with a public key. You can only VERIFY a
SIGNED message using the certificate. If that's what you need, you don't need
at all the public key from the cert - both CAPI and OpenSSL can verify a
message with the certificate.

2. If you really need to DECRPT a message and the private key is in the HSM,
you don't need the public key - the HSM's private key is already there. (And
it's certainly NOT in the certificate.)

3. If you want to ENCRYTPT a message for somebody, that's when you need the
public key to wrap the random session key (which is actually used to encrypt
the message).

4. Anyway, seems you are trying to use OpenSSL. Please be advised that this
forum is for CAPI related questions, you would need to find OpenSSL support
somewhere else.

(BTW: despite 4. above we do provide advise on not strictly CAPI related -
but security, crypto - questions.)

Laszlo Elteto
SafeNet, Inc.

"yadav.dhananjay@xxxxxxxxx" wrote:

Dear Responder,
Thank you for ur valueable suggestion.
my main problem is How to generate public key handle in PCI
HSM(Hardware security Model) from crtificates public key.
I do have the cerificate but i need to import public key(hanlde) into
PCI HSM from certificate to decrypt a message.
I trying to use openssl to import the public key but openssl showing
following error...
********************************************************************************
C:\OpenSSL\bin>openssl ca
Using configuration from /usr/local/ssl/openssl.cnf
error loading the config file '/usr/local/ssl/openssl.cnf'
2652:error:02001003:system library:fopen:No such process:bss_file.c:
104:fopen('/
usr/local/ssl/openssl.cnf','rb')
2652:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:
107:
2652:error:0E064072:configuration file routines:CONF_load:no such
file:conf_def.
c:197:
*********************************************************************************
i could not find the openssl.cnf file and path "/usr/local/ssl/
openssl.cnf"
how to remove this issue

Regards
Dhananjay Yadav
CMC LTD.
On Feb 29, 3:04 am, Sylvain <noS...@xxxxxxxx> wrote:
lelteto wrote on 28/02/2008 22:31:



3. In case of hardware you usually don't get any speed advantage of PUBLIC
KEY operations. They are pretty fast in software, and the communication
overhead (context switches, driver involvement, etc.) probably result in
longer total time than doing the computation in software. Hardware is
excellent at accelerating private key operations - which is usally slow in
software - but you wouldn't get much speedup (and oftentimes slower speed)
from hardware for public key operations.

(good) HSM are faster than any software lib. even for exponentiation
with public exp.

OOH, the public key import can be required to wrap a key (may be
session, sym., ...) with the cert. of the recipient part.
in such a case, computation shall occur in the HSM.

Sylvain.


.