On Wed, Nov 16, 2016, James Bottomley wrote:
> The assumption in all the current engine code is that key_id can be
> passed as something like a file name.
Well no it's a null terminated string whose meaning is engine specific. In
some cases it is a key ID, in others it is a more complex string
Thank you! I think I understand. (Sounds like an ugly and hardly necessary
complication to me – not to mention that there might not be a filesystem to
keep those around, but…)
—
Regards,
Uri
On 11/16/16, 5:06 PM, "openssl-dev on behalf of Dr. Stephen Henson"
On Wed, Nov 16, 2016, Richard Levitte wrote:
> If I understand correctly, the intention is to avoid having to use
> ENGINE_load_private_key() directly or having to say '-keyform ENGINE'
> to the openssl commands, and to avoid having to remember some cryptic
> key identity to give with '-key'.
It is a heck of a lot easier for everyone if you make pull requests and not
just mail big patches. Can you do that?
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
If I understand correctly, the intention is to avoid having to use
ENGINE_load_private_key() directly or having to say '-keyform ENGINE'
to the openssl commands, and to avoid having to remember some cryptic
key identity to give with '-key'. Instead of all that, just give the
name of a .pem file
My apologies – I don’t fully understand “file based engine keys”. I thought the
keys were either on a hardware device (a TPM, a PKCS#11-accessible HSM or
smartcard, etc), or in a file. If a key is in a file – it’s not an “engine key”.
What am I missing, and what’s your use case(s)?
—
Regards,
Before trying to process the PEM file, hand it to each of the
loaded engines to see if they can load it. This uses the new
bio based callback, so the engine must be loaded and implement this
callback to be considered.
Signed-off-by: James Bottomley
---
[David Woodhouse told me that openssl-dev is a closed list, so the
original messages got trashed. This is a resend with apologies to
David and Peter]
One of the principle problems of using TPM based keys is that there's
no easy way of integrating them with standard file based keys. This
The assumption in all the current engine code is that key_id can be
passed as something like a file name. There are some new users that
actually want to pass a BIO, so add a new load_key method for engines
that takes a flag value. The first defined flag is
ENGINE_LOAD_KEY_FLAG_BIO which means
Permits this engine to be used as part of the openssl pem
routines for loading TPM based keys. To use this, the
tpm engine must be preloaded via the openssl.cnf file
Signed-off-by: James Bottomley
diff --git a/e_tpm.c b/e_tpm.c
index 3e20f8e..9cb1d6c 100644
---
10 matches
Mail list logo