[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Dr. Stephen Henson
steve at openssl.org
Thu Dec 10 23:09:55 UTC 2015
On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson"
> <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
>
> >
> >As I indicated the fix I suggested it temporary. Sometimes a user will
> >want
> >that behaviour so we'd need a new command line option indicating the
> >private
> >key engine only.
>
> Ideally engine_pkcs11 should do it automatically, but I see your point.
> Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b)
> the engine is PKCS11? And if so - automatically do the right thing? Do you
> envision other engines with similar needs? My assumption was that the only
> engine that talks to smart cards is pkcs11...
The CryptoAPI ENGINE can also talk to smart cards.
>
> In the meanwhile, in your opinion should rsautl need a similar patch, or
> would it work out of box, like dgst did?
>
It should yes: rsautl uses the lower level RSA functions only.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list