HSM devices and FreeBSD

[Eirik Øverby]

Hello all,

first, if this is disallowed by the rules for this list (I'm a bit  
uncertain..), then please forgive me.

I am working for a company doing services for the credit card  
industry. Among other things, we specialize in authentication systems  
(3-D Secure) for internet-based trade, and are subject to very strict  
security requirements (obviously).
The relevant systems are all running on FreeBSD, and so far we have  
had little or no problems passing all the requirements, save for one  
thing: HSM devices.

When the system was originally set up about 4 years ago, an agreement  
was made with Thales e-Security, Inc. that they should deliver a  
FreeBSD version of their pkcs#11 libraries and OpenSSL engine  
implementation for their WebSentry devices. This was indeed done, but  
there has been no support or updates since, and the software vendor  
we are using have since started moving to other ways of interacting  
with their supported HSMs - meaning that we are slowly being left in  
the dust.

I am therefore researching other possible vendors of HSM devices.  
They need to be external and network-attached (i.e. no kernel mode  
drivers necessary), and they need to fulfill certain requirements,  
first and foremost the FIPS 140-1 levels 2 and (for some  
applications) 3. In addition, the software APIs supplied should  
include a pkcs#11 library, an openssl engine implementation, and a  
Java implementation (possibly using JNI for the communications, ref.  
the pkcs#11 library).

Does anyone know of any such products that have any sort of FreeBSD  
support at all? Please note that these are not simply crypto  
accelerators; they also store keys etc. securely.

With best regards,
Eirik Øverby
Unicore AS
Oslo, Norway