[openssl-users] OpenSSL engine and TPM usage.

Richard Levitte levitte at openssl.org
Thu Oct 26 11:57:07 UTC 2017

In message <CALq8RvLJVQtPhxtQuJzK5oWpb9w79u02FeW1ZoN636va6=F7NA at mail.gmail.com> on Wed, 25 Oct 2017 22:36:45 +0530, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com> said:

bhat.jayalakshmi> Our device uses TPM to protect certificate private
bhat.jayalakshmi> keys. We have written engine interface to integrate
bhat.jayalakshmi> TPM functionality into OpenSSL. Thus TPM gets loaded
bhat.jayalakshmi> as an engine instance. Also we have mapped RSA
bhat.jayalakshmi> operations to TPM APIS as like encryption/decryption
bhat.jayalakshmi> etc.
bhat.jayalakshmi> Now we are into few issues. there are few
bhat.jayalakshmi> applications that wants to use application specific
bhat.jayalakshmi> identity certificate. In such cases RSA APIs should
bhat.jayalakshmi> not get mapped to TPM APIs.
bhat.jayalakshmi> I wanted to know when we use engine instance for
bhat.jayalakshmi> encyrption/decryption operation, can it be done
bhat.jayalakshmi> selectively?

Yes, it should be possible.  However, this is up to the application,
not to your engine.  The engine simply offers methods, the application
chooses to use some or all of them as default algo implementations
through the diverse ENGINE_set_default* functions.

For keys such as RSA ones, you can simply create the resulting fetched
key with RSA_new_method(e), where |e| is your TPM engine, and your
engine's RSA method will be attached to that key rather than the


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list