[openssl-dev] openssl cms unable to access keys on token?

David Woodhouse dwmw2 at infradead.org
Mon Mar 14 21:08:28 UTC 2016

On Mon, 2016-03-14 at 19:27 +0000, Blumenthal, Uri - 0553 - MITLL
> $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt
> -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public"

That isn't what -outform does. It controls the output format of the
encrypted result:

$ openssl cms -aes256 -encrypt -binary -in data.txt -outform PEM cert.pem
-----BEGIN CMS-----

There is no option which makes it obtain the *certificate* (to which it
is encrypting the CMS message) from an engine. There isn't even a
standard way for an engine to provide such functionality — the PKCS#11
engine currently exposes it only with a custom "LOAD_CERT_CTRL"

This is just one of many reasons why libp11/engine_pkcs11 needs to die
as a separate project, and we need to incorporate proper PKCS#11
support into OpenSSL natively.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160314/83678f81/attachment.bin>

More information about the openssl-dev mailing list