[openssl-users] OpenSSL engine and TPM usage.
Jakob Bohm
jb-openssl at wisemo.com
Wed Oct 25 21:25:56 UTC 2017
On 25/10/2017 19:06, Jayalakshmi bhat wrote:
> Hi All,
>
> Our device uses TPM to protect certificate private keys. We have
> written engine interface to integrate TPM functionality into OpenSSL.
> Thus TPM gets loaded as an engine instance.
> Also we have mapped RSA operations to TPM APIS as like
> encryption/decryption etc.
>
> Now we are into few issues. there are few applications that wants to
> use application specific identity certificate. In such cases RSA APIs
> should not get mapped to TPM APIs.
>
> I wanted to know when we use engine instance for encyrption/decryption
> operation, can it be done selectively?
>
Please beware that many TPM chips were recently discovered to contain a
broken
RSA key generation algorithm, so public/private key pairs keys to be
stored in the TPM should probably be generated off-chip (using the OpenSSL
software key generator) and imported into the chip, contrary to what would
have been best security practice without this firmware bug.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list