Thank you! I think I understand. (Sounds like an ugly and hardly necessary complication to me – not to mention that there might not be a filesystem to keep those around, but…) — Regards, Uri
On 11/16/16, 5:06 PM, "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote: On Wed, Nov 16, 2016, Richard Levitte wrote: > If I understand correctly, the intention is to avoid having to use > ENGINE_load_private_key() directly or having to say '-keyform ENGINE' > to the openssl commands, and to avoid having to remember some cryptic > key identity to give with '-key'. Instead of all that, just give the > name of a .pem file with '-key' and if that file contains some kind of > magic information that the engine can understand, it will dig out a > reference to the hw protected key. > > Many years ago, I was thinking of something along the same lines, but > with a .pem file that would just have a few headers, holding the name > of the intended engine and the key identity, something like this: > > -----BEGIN PRIVATE KEY----- > X-key-id: flarflarflar > X-key-engine: foo > -----END PRIVATE KEY----- > > The intent was that the PEM code would be massaged to recognise these > headers and would then use ENGINE_by_id() / ENGINE_load_private_key() > with those data and that would be it. > Yes me too. Though if you're doing that something like "ENGINE PRIVATE KEY" or "OPENSSL ENGINE PRIVATE KEY" as just "PRIVATE KEY" is associated with PKCS#8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev