[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Wed Nov 16 22:11:18 UTC 2016
Thank you! I think I understand. (Sounds like an ugly and hardly necessary complication to me – not to mention that there might not be a filesystem to keep those around, but…)
—
Regards,
Uri
On 11/16/16, 5:06 PM, "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
On Wed, Nov 16, 2016, Richard Levitte wrote:
> If I understand correctly, the intention is to avoid having to use
> ENGINE_load_private_key() directly or having to say '-keyform ENGINE'
> to the openssl commands, and to avoid having to remember some cryptic
> key identity to give with '-key'. Instead of all that, just give the
> name of a .pem file with '-key' and if that file contains some kind of
> magic information that the engine can understand, it will dig out a
> reference to the hw protected key.
>
> Many years ago, I was thinking of something along the same lines, but
> with a .pem file that would just have a few headers, holding the name
> of the intended engine and the key identity, something like this:
>
> -----BEGIN PRIVATE KEY-----
> X-key-id: flarflarflar
> X-key-engine: foo
> -----END PRIVATE KEY-----
>
> The intent was that the PEM code would be massaged to recognise these
> headers and would then use ENGINE_by_id() / ENGINE_load_private_key()
> with those data and that would be it.
>
Yes me too. Though if you're doing that something like "ENGINE PRIVATE KEY"
or "OPENSSL ENGINE PRIVATE KEY" as just "PRIVATE KEY" is associated with
PKCS#8.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161116/e7f7b62c/attachment.bin>
More information about the openssl-dev
mailing list