Add pkcs11 command
Antonio Iacono
antiac at gmail.com
Fri Mar 8 23:35:31 UTC 2019
OK thanks,
initial implementation of STORE into my pkcs11 engine (1) is ready.
I am able to do this openssl storeutl -engine pkcs11
'pkcs11:objecttype=cert;object=test'
and this is result:
engine "pkcs11" set.
0: Certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIUDrAyYf/dMsavGGEuYMLqJxFrHOUwDQYJKoZIhvcNAQEL
...
(1) https://github.com/openssl/openssl/pull/8200
On Wed, Mar 6, 2019 at 4:37 PM Richard Levitte <levitte at openssl.org> wrote:
> What you need to do on bind is to create a whole OSSL_STORE_LOADER for
> pkcs11. OSSL_STORE_LOADER_set_open only sets the opening functions,
> which is expected to take a URI and parse that into something
> sensible, and return a context. There are other functions to set as
> well, such as the 'load', 'eof', 'error' and 'close' functions.
>
> The OSSL_STORE_LOADER callback set is designed to work somewhat
> vaguely like the stdio API, but instead of handling a set of bytes, it
> handles a set of objects, which can be whatever the OSSL_STORE API
> knows how to handle.
>
> When you're done building the OSSL_STORE_LOADER (including a scheme
> name, that's absolutely important), you hook it into libcrypto with
> OSSL_STORE_register_loader(), an voilà, you should be able to do this:
>
> openssl storeutil -engine yourengine \
> 'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234'
>
> (I'm sorry, I don't know the URI scheme enough to say how to specify
> that you want to get a list of all accessible certificates or other
> objects)
>
> There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod,
> and the 'file:' scheme loader is in crypto/store/loader_file.c, but
> fair warning, that one is a bit more complex than you would probably
> expect from the average store loader.
>
> Cheers,
> Richard
>
More information about the openssl-users
mailing list