Protecting keys using a TPM

David Woodhouse dwmw2 at
Fri Mar 8 06:27:46 PST 2013

On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
> BTW, I am happy to contemplate changes to OpenSSL if they would help.

Merging the TPM engine would be good, and then perhaps getting to the
point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
'just work' without the application having to jump through hoops to load
the engine and do special things to handle callbacks. See and weep.

We also want to get to the point where applications can just use PKCS#11
objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
p11-kit integration with OpenSSL? I think all we have at the moment is
the PKCS#11 engine (also not merged), and the p11-kit proxy?

We really want to make all these things first-class citizens. As I said,
almost every line in my openssl.c that isn't just passing command-line
parameters straight through to the crypto library, I hate you for :)

Especially match_cert_hostname(). I should *never* have had to write
that for myself.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list