[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Nov 16 15:56:05 UTC 2016 

My apologies – I don’t fully understand “file based engine keys”. I thought the keys were either on a hardware device (a TPM, a PKCS#11-accessible HSM or smartcard, etc), or in a file. If a key is in a file – it’s not an “engine key”.

What am I missing, and what’s your use case(s)?
— 
Regards,
Uri


On 11/16/16, 10:46 AM, "openssl-dev on behalf of James Bottomley" <openssl-dev-bounces at openssl.org on behalf of James.Bottomley at HansenPartnership.com> wrote:

    [David Woodhouse told me that openssl-dev is a closed list, so the
    original messages got trashed.  This is a resend with apologies to
    David and Peter]
    
    One of the principle problems of using TPM based keys is that there's
    no easy way of integrating them with standard file based keys.  This
    proposal adds a generic method for handling file based engine keys that
    can be loaded as PEM files.  Integration into the PEM loader requires a
    BIO based engine API callback which the first patch adds.  The second
    patch checks to see if the key can be loaded by any of the present
    engines.  Note that this requires that any engine which is to be used
    must be present and initialised via openssl.cnf.
    
    I'll also post to this list the patch to openssl_tpm_engine that makes
    use if this infrastructure so the integration of the whole can be seen.
     It should also be noted that gnutls has had this functionality since
    2012.
    
    The patch was done against 1.0.2h for easier testing and you can try it
    and the openssl_tpm_engine out (if you run openSUSE) here:
    
    https://build.opensuse.org/project/show/home:jejb1:Tumbleweed
    
    James
    
    ---
    
    James Bottomley (2):
      engine: add new flag based method for loading engine keys
      pem: load engine keys
    
     crypto/engine/eng_int.h  |  1 +
     crypto/engine/eng_pkey.c | 38 ++++++++++++++++++++++++++++++++++++++
     crypto/engine/engine.h   | 26 ++++++++++++++++++++++++++
     crypto/pem/pem_pkey.c    |  5 +++++
     4 files changed, 70 insertions(+)
    
    -- 
    openssl-dev mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161116/39f1ddb1/attachment-0001.bin>

More information about the openssl-dev mailing list