James.Bottomley> Yes, that's right. When any SSL program sees a TPM wrapped key, it James.Bottomley> should just do the right thing if it has the engine capability without James.Bottomley> needing the user to add any options to the command line. Mm... I'm not sure I agree with the method, passing a BIO for the key_id.
I’m sure I rather disagree, and rather strongly. I would much rather have seen a patch where OpenSSL's PEM module is tought to recognise 'BEGIN TSS KEY BLOB', pull out the blob from it, securing it somehow (since key_id is expected to be be NUL terminated) and pass that to the engine. I would much rather use PEM only to contain keys/certs instead of “pointing” at them in some weird way. My vote goes to a URI based spec rather than bastardising PEM files. +10^101. ☺ I understand this kinda throws years of developmemt out the window, but there you have it. “It’s never too late to turn back on a wrong road”
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev