[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Alexander Gostrer
agostrer at gmail.com
Fri Dec 11 17:03:20 UTC 2015
Hi Doug,
John and I implemented an ECDSA/ECDH/ECDHE engine. We are in the process of final testing and cleaning up. Changes to OpenSSL were pretty minor. Would you like to review this code? We are planing to publish it on github in a week or so.
Regards.
Alex
Sent from my iPhone
> On Dec 10, 2015, at 2:47 PM, Douglas E Engert <deengert at gmail.com> wrote:
>
> The OpenSC engine code does not support ECDH. It is on the TODO list.
> It took forever to get the ECDSA changes needed into OpenSSL to work with engines, that I never
> got to doing the ECDH in engine and libp11.
>
>> On 12/10/2015 10:59 AM, Blumenthal, Uri - 0553 - MITLL wrote:
>> I want to add that apparently some openssl commands work OK with this
>> token and pkcs11 engine:
>>
>> $ openssl version
>> OpenSSL 1.0.2e 3 Dec 2015
>> $ openssl dgst -engine pkcs11 -keyform engine -sign
>> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
>> -out t.sig < config.h
>> engine "pkcs11" set.
>> $ ll t.sig
>> -rw-r--r-- 1 ur20980 MITLL\Domain Users 256 Dec 10 11:52 t.sig
>> $ openssl dgst -verify pub.key -keyform PEM -signature t.sig -sha256 <
>> config.h
>> Verified OK
>> $
>>
>>
>>
>>
>> But I need to also be able to use “encrypt” (well, “decrypt” to be precise
>> :) and “derive” (for ECDH key)…
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
> --
>
> Douglas E. Engert <DEEngert at gmail.com>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151211/56c3ed7c/attachment.html>
More information about the openssl-dev
mailing list