Protecting keys using a TPM
stefw at redhat.com
Fri Mar 8 06:33:56 PST 2013
On 03/08/2013 03:27 PM, David Woodhouse wrote:
> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
> Merging the TPM engine would be good, and then perhaps getting to the
> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
> 'just work' without the application having to jump through hoops to load
> the engine and do special things to handle callbacks. See
> http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/openssl.c#l339 and weep.
> We also want to get to the point where applications can just use PKCS#11
> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
> p11-kit integration with OpenSSL? I think all we have at the moment is
> the PKCS#11 engine (also not merged), and the p11-kit proxy?
This is something I'm really interested in doing. Ben, what's the best
way to go about it?
Does it make sense to have a robust out of tree PKCS#11 engine +
X509_STORE? Or is merging PKCS#11 support something we can pull off in
OpenSSL if done right?
And if merged, does it need to be without any external dependencies?
More information about the p11-glue