[openssl-dev] openssl cms unable to access keys on token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Mon Mar 14 22:34:10 UTC 2016
On 3/14/16, 17:33, "David Woodhouse" <dwmw2 at infradead.org> wrote:
>On Mon, 2016-03-14 at 21:28 +0000, Blumenthal, Uri - 0553 - MITLL
>wrote:
>> You are right - the command line was wrong. Here’s the correct line,
>> which
>> should work, but doesn’t:
>>
>> $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
>> -outform PEM -out data.txt.enc
>> "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert"
>
>Yeah, that won't work either.
Yep…
>Perhaps you need the "-certform engine" option.
>
>Which doesn't exist. :)
I’d personally prefer the cms app to have internal logic “if -engine is
specified and the cert name starts with ‘pksc11:’ then load it via
engine”. It’s been suggested in another forum that perhaps openssl should
automatically load the appropriate engine if the resource (key || pubkey
|| cert) is specified via URI that starts with the engine name (like
“pkcs11:”).
Does it mean I need to come up with a PR? :-)
>(My mailer doesn't seem to trust your signing cert, btw. Should you be
>including an intermediate certificate in your messages? For that
>matter, should I? :)
Yours appear OK. Perhaps because I know StartCom. ;)
I’ll send you mine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160314/9f182055/attachment.bin>
More information about the openssl-dev
mailing list