[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Dec 10 22:17:15 UTC 2015
On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson"
<openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
>>>Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL
>> >in pkeyutl.c
>>
>> With your proposed (temporary) fix, the signature both generated and
>> verified successfully (see below). Could I ask to push this fix to the
>> master, and maybe/hopefully to 1_0_2 branch?
>>
>
>As I indicated the fix I suggested it temporary. Sometimes a user will
>want
>that behaviour so we'd need a new command line option indicating the
>private
>key engine only.
Ideally engine_pkcs11 should do it automatically, but I see your point.
Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b)
the engine is PKCS11? And if so - automatically do the right thing? Do you
envision other engines with similar needs? My assumption was that the only
engine that talks to smart cards is pkcs11...
In the meanwhile, in your opinion should rsautl need a similar patch, or
would it work out of box, like dgst did?
Thank you!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151210/b2d4afb9/attachment.bin>
More information about the openssl-dev
mailing list