[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
David Woodhouse
dwmw2 at infradead.org
Sat Dec 19 09:23:28 UTC 2015
On Fri, 2015-12-18 at 16:46 +0100, Nikos Mavrogiannopoulos wrote:
> On Thu, 2015-12-17 at 22:06 +0000, Blumenthal, Uri - 0553 - MITLL
> wrote:
> > I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).
> [...]
> > But this doesn’t:
> >
> > $ openssl dgst -engine pkcs11 -keyform engine -verify
> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
>
> The current implementation of engine_pkcs11 seems to work with private
> keys and certificates only. I've added a fix in engine_pkcs11, but it
> seems that public key types were never tested for PKCS#11 URLs.
Yes, mea culpa. I added the basic PKCS#11 URI parsing, and failed to
test it with public keys.
I still suspect we should be using p11kit and not reimplementing the
PKCS#11 URI parsing for ourselves. But really I want the whole engine
to die and PKCS#11 to be supported as a first-class citizen within
OpenSSL in crypto/p11/...
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151219/cc809ce6/attachment-0001.bin>
More information about the openssl-dev
mailing list