[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Mon Dec 21 22:15:45 UTC 2015
>>> $ openssl dgst -engine pkcs11 -keyform engine -verify
>> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
>>
>> The current implementation of engine_pkcs11 seems to work with private
>> keys and certificates only. I've added a fix in engine_pkcs11, but it
>> seems that public key types were never tested for PKCS#11 URLs.
>
>Yes, mea culpa. I added the basic PKCS#11 URI parsing, and failed to
>test it with public keys.
Could you please point me at the code that needs fixing?
I’m trying to accomplish two goals:
- make all (most of?) the openssl commands work with “pkcs11:…” URL;
- make openssl (through engine_pkcs11) to stop prompting for the PIN to
access public keys.
>I still suspect we should be using p11kit and not reimplementing the
>PKCS#11 URI parsing for ourselves. But really I want the whole engine
>to die and PKCS#11 to be supported as a first-class citizen within
>OpenSSL in crypto/p11/...
In the ideal world - yes. As it is though, I think we'd better get
engine_pkcs11 fixed. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151221/23372593/attachment-0001.bin>
More information about the openssl-dev
mailing list