[openssl-dev] [RFC 1/2] engine: add new flag based method for loading engine keys
David Woodhouse
dwmw2 at infradead.org
Sat Nov 19 04:43:38 UTC 2016
On Thu, 2016-11-17 at 09:33 +0200, Roumen Petrov wrote:
> David Woodhouse wrote:
> > > The assumption in all the current engine code is that key_id can be
> > > passed as something like a file name.
>
> This is mostly documentation issue.
> Usually OpenSSL man pages use filename for <KEY>, but actually it is
> just a string and engine is responsible how to process
Right. In engine_pkcs11 it's a RFC7512 PKCS#11 URI and not a filename.
> > > There are some new users that
> > > actually want to pass a BIO, so add a new load_key method for
> > > engines
> > > that takes a flag value.
>
> Engine could use some URN formats for <KEY>. For instance if <KEY>
> starts with file:/ engile could try to load from filesystem.
Note that GnuTLS has a URN format for keys stored in the TPM. See
output of 'tpmtool --list' for example. The TPM engine should probably
accept those.
But this doesn't help with the case where we *have* the actual
(wrapped) key data in memory already — unless you pass in a string
which is a base64-encoded form of that, which is kind of horrid.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161118/078a149b/attachment.bin>
More information about the openssl-dev
mailing list