Protecting keys using a TPM
Ben Laurie
benl at google.com
Fri Mar 8 08:20:24 PST 2013
On 8 March 2013 14:27, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
>
> Merging the TPM engine would be good, and then perhaps getting to the
> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
> 'just work' without the application having to jump through hoops to load
> the engine and do special things to handle callbacks. See
> http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/openssl.c#l339 and weep.
>
> We also want to get to the point where applications can just use PKCS#11
> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
> p11-kit integration with OpenSSL? I think all we have at the moment is
> the PKCS#11 engine (also not merged), and the p11-kit proxy?
I believe you are correct.
> We really want to make all these things first-class citizens. As I said,
> almost every line in my openssl.c that isn't just passing command-line
> parameters straight through to the crypto library, I hate you for :)
I think you should hate Eric Young. I just try to fix his bugs :-)
> Especially match_cert_hostname(). I should *never* have had to write
> that for myself.
I'm told the latest versions have that (at last). Haven't checked it myself yet.
More information about the p11-glue
mailing list