[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Nov 16 22:11:18 UTC 2016 

Thank you! I think I understand. (Sounds like an ugly and hardly necessary complication to me – not to mention that there might not be a filesystem to keep those around, but…)
— 
Regards,
Uri


On 11/16/16, 5:06 PM, "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:

    On Wed, Nov 16, 2016, Richard Levitte wrote:
    
    > If I understand correctly, the intention is to avoid having to use
    > ENGINE_load_private_key() directly or having to say '-keyform ENGINE'
    > to the openssl commands, and to avoid having to remember some cryptic
    > key identity to give with '-key'.  Instead of all that, just give the
    > name of a .pem file with '-key' and if that file contains some kind of
    > magic information that the engine can understand, it will dig out a
    > reference to the hw protected key.
    > 
    > Many years ago, I was thinking of something along the same lines, but
    > with a .pem file that would just have a few headers, holding the name
    > of the intended engine and the key identity, something like this:
    > 
    >     -----BEGIN PRIVATE KEY-----
    >     X-key-id: flarflarflar
    >     X-key-engine: foo
    >     -----END PRIVATE KEY-----
    > 
    > The intent was that the PEM code would be massaged to recognise these
    > headers and would then use ENGINE_by_id() / ENGINE_load_private_key()
    > with those data and that would be it.
    > 
    
    Yes me too. Though if you're doing that something like "ENGINE PRIVATE KEY"
    or "OPENSSL ENGINE PRIVATE KEY" as just "PRIVATE KEY" is associated with
    PKCS#8.
    
    Steve.
    --
    Dr Stephen N. Henson. OpenSSL project core developer.
    Commercial tech support now available see: http://www.openssl.org
    -- 
    openssl-dev mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161116/e7f7b62c/attachment.bin>

More information about the openssl-dev mailing list