On 3 March 2013 04:36, Jonathan Buhacoff <jonat...@buhacoff.net> wrote: > Hi, > > I have a school project to make use of a TPM to store the server's RSA > private key for use with openssl. Specifically, that private key would be > sealed to certain PCR values that are also encoded in the X509 certificate so > that, when clients make a TLS connection to the server, clients trusting that > particular X509 certificate know that a connection can only be established if > the server's state corresponds to the what is on the certificate. > > When a server needs to decrypt the client challenge in order to prepare the > server-verify message, instead of loading its private key from disk and > performing an RSA decryption, in this project the server would use the > trousers library to pass the material to be decrypted to the TPM and get the > results. Everything before and after this step should stay the same. > > I think the relevant code is in ssl3_get_client_key_exchange, because it > calls RSA_private_decrypt. > > My question is - should I be writing a patch for the default engine to allow > this option to keep the private key in the TPM? or should I be writing a new > engine that is essentially a copy of the default engine except for this one > change? What makes more sense if I'm going to contribute the code after my > project is done? > > A related consideration is that the configuration would need to accommodate > this option, either by allowing another format for the private key file > option or by creating a new custom option. > > All opinions welcome...
You should already be able to do this via PKCS 11 (note: I haven't actually tried it). ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
