[openssl-dev] Using keys from a hardware accelerator
David Woodhouse
dwmw2 at infradead.org
Tue Jul 21 14:32:38 UTC 2015
On Tue, 2015-07-21 at 06:55 -0700, Alexander Gostrer wrote:
>
> I didn't find any reference to pkcs11 or engine_pkcs11 or cryptoki in
> the code. The closest thing I see on the master branch are
> openssl/engines/vendor_defns/hwcryptohook.h, sureware.h, and so on.
> Is there a special branch for pkcs11? Or I just need to use
> hwcryptohook.h/sureware.h as a reference code and make my own
> implementation?
Unfortunately, PKCS#11 support isn't a part of OpenSSL directly
(although it would be really good to fix that).
The PKCS#11 engine is at https://github.com/OpenSC/engine_pkcs11
A new release is imminent, which allows you to specify certificates and
keys by a PKCS#11 URI (RFC7512) instead of the old format.
On systems where p11-kit exists, it also automatically loads the
appropriate PKCS#11 modules according to the system configuration. So
using it really is as simple as providing the correct PKCS#11 URI for
the cert/key you want.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150721/b28c94dd/attachment.bin>
More information about the openssl-dev
mailing list