[openssl-dev] openssl cms unable to access keys on token?

David Woodhouse dwmw2 at infradead.org
Mon Mar 14 22:56:25 UTC 2016

On Mon, 2016-03-14 at 22:34 +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> I’d personally prefer the cms app to have internal logic “if -engine is
> specified and the cert name starts with ‘pksc11:’ then load it via
> engine”.

So you don't want the -keyform argument to exist either? That would
also be redundant, by the same logic. And I'm not sure it's true.

> It’s been suggested in another forum that perhaps openssl should
> automatically load the appropriate engine if the resource (key || pubkey
> || cert) is specified via URI that starts with the engine name (like
> “pkcs11:”).

I dislike this, because it could be used to provoke OpenSSL into
loading arbitrary engines. It also dramatically increases the chance of
accidental collision with real filenames.

But I suppose if it was restricted to explicitly-configured prefixes,
that would be tolerable.

But seriously, I was mostly planning to ditch the engine completely for
PKCS#11, and add code to crypto/pkcs11/ to do things directly.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160314/c9d56262/attachment.bin>

More information about the openssl-dev mailing list