[openssl-users] OpenSSL engine and TPM usage.

Jakob Bohm jb-openssl at wisemo.com
Wed Oct 25 21:25:56 UTC 2017

On 25/10/2017 19:06, Jayalakshmi bhat wrote:
> Hi All,
> Our device uses TPM to protect certificate private keys. We have 
> written engine interface to integrate TPM functionality into OpenSSL. 
> Thus TPM gets loaded as an engine instance.
> Also we have mapped RSA operations to TPM APIS as  like 
> encryption/decryption etc.
> Now we are into few issues. there are few applications that wants to 
> use application specific identity certificate. In such cases RSA APIs 
> should not get mapped to TPM APIs.
> I wanted to know when we use engine instance for encyrption/decryption 
> operation, can it be done selectively?
Please beware that many TPM chips were recently discovered to contain a 
RSA key generation algorithm, so public/private key pairs keys to be
stored in the TPM should probably be generated off-chip (using the OpenSSL
software key generator) and imported into the chip, contrary to what would
have been best security practice without this firmware bug.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list