Protecting keys using a TPM
dwmw2 at infradead.org
Fri Mar 8 06:27:46 PST 2013
On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
> BTW, I am happy to contemplate changes to OpenSSL if they would help.
Merging the TPM engine would be good, and then perhaps getting to the
point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
'just work' without the application having to jump through hoops to load
the engine and do special things to handle callbacks. See
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/openssl.c#l339 and weep.
We also want to get to the point where applications can just use PKCS#11
objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
p11-kit integration with OpenSSL? I think all we have at the moment is
the PKCS#11 engine (also not merged), and the p11-kit proxy?
We really want to make all these things first-class citizens. As I said,
almost every line in my openssl.c that isn't just passing command-line
parameters straight through to the crypto library, I hate you for :)
Especially match_cert_hostname(). I should *never* have had to write
that for myself.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6171 bytes
Desc: not available
More information about the p11-glue