OpenSSL Engines
The OpenSSL project offers the possibility to source out cryptographic functionality to plugin modules called engines. Usually there is one of two reasons for doing this, performance and security.
The performance reason is rather obvious, specialized hardware can do cryptography much faster than a general purpose computer.
The reason for using an engine with opensc typically is a security reason. If you are storing your private keys on a harddisk there is a lot of things an administrator (or a virus with root privileges) can do to steal your key. If the key is on a smart card there is usually no way to export the private key, so if you pull the card from the reader noone can use your keys. And if you use a certified and sealed reader device you can even be reasonably sure that noone can steal your PIN.
OpenSC up to version 0.9.6 included two engines directly – engine_opensc and engine_pkcs11. The former was only a proof of concept code and
has several issues. The later works fine. Starting with OpenSC 0.10.0 this engine was splitted off and is now in an independend project,
as it can be used with any PKCS#11 implementation, not only OpenSC.
Please visit the engine_pkcs11 homepage for more details. Also see the QuickStart file for an example
how to sign a certificate using openssl and your smart card.