[openssl-dev] openssl cms unable to access keys on token?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Mar 14 22:34:10 UTC 2016

On 3/14/16, 17:33, "David Woodhouse" <dwmw2 at infradead.org> wrote:

>On Mon, 2016-03-14 at 21:28 +0000, Blumenthal, Uri - 0553 - MITLL
>> You are right - the command line was wrong. Here’s the correct line,
>> which
>> should work, but doesn’t:
>> $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
>> -outform PEM -out data.txt.enc
>> "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert"
>Yeah, that won't work either.


>Perhaps you need the "-certform engine" option.
>Which doesn't exist. :)

I’d personally prefer the cms app to have internal logic “if -engine is
specified and the cert name starts with ‘pksc11:’ then load it via
engine”. It’s been suggested in another forum that perhaps openssl should
automatically load the appropriate engine if the resource (key || pubkey
|| cert) is specified via URI that starts with the engine name (like

Does it mean I need to come up with a PR? :-)

>(My mailer doesn't seem to trust your signing cert, btw. Should you be
>including an intermediate certificate in your messages? For that
>matter, should I? :)

Yours appear OK. Perhaps because I know StartCom. ;)

I’ll send you mine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160314/9f182055/attachment.bin>

More information about the openssl-dev mailing list