Add pkcs11 command

Antonio Iacono antiac at
Fri Mar 8 23:35:31 UTC 2019

OK thanks,

initial implementation of STORE into my pkcs11 engine (1) is ready.
I am able to do this openssl storeutl -engine pkcs11
and this is result:
engine "pkcs11" set.
0: Certificate


On Wed, Mar 6, 2019 at 4:37 PM Richard Levitte <levitte at> wrote:
> What you need to do on bind is to create a whole OSSL_STORE_LOADER for
> pkcs11.  OSSL_STORE_LOADER_set_open only sets the opening functions,
> which is expected to take a URI and parse that into something
> sensible, and return a context.  There are other functions to set as
> well, such as the 'load', 'eof', 'error' and 'close' functions.
> The OSSL_STORE_LOADER callback set is designed to work somewhat
> vaguely like the stdio API, but instead of handling a set of bytes, it
> handles a set of objects, which can be whatever the OSSL_STORE API
> knows how to handle.
> When you're done building the OSSL_STORE_LOADER (including a scheme
> name, that's absolutely important), you hook it into libcrypto with
> OSSL_STORE_register_loader(), an voilà, you should be able to do this:
>     openssl storeutil -engine yourengine \
>         'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234'
> (I'm sorry, I don't know the URI scheme enough to say how to specify
> that you want to get a list of all accessible certificates or other
> objects)
> There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod,
> and the 'file:' scheme loader is in crypto/store/loader_file.c, but
> fair warning, that one is a bit more complex than you would probably
> expect from the average store loader.
> Cheers,
> Richard

More information about the openssl-users mailing list