Protecting keys using a TPM

Ben Laurie benl at
Fri Mar 8 08:20:24 PST 2013

On 8 March 2013 14:27, David Woodhouse <dwmw2 at> wrote:
> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
> Merging the TPM engine would be good, and then perhaps getting to the
> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
> 'just work' without the application having to jump through hoops to load
> the engine and do special things to handle callbacks. See
> and weep.
> We also want to get to the point where applications can just use PKCS#11
> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
> p11-kit integration with OpenSSL? I think all we have at the moment is
> the PKCS#11 engine (also not merged), and the p11-kit proxy?

I believe you are correct.

> We really want to make all these things first-class citizens. As I said,
> almost every line in my openssl.c that isn't just passing command-line
> parameters straight through to the crypto library, I hate you for :)

I think you should hate Eric Young. I just try to fix his bugs :-)

> Especially match_cert_hostname(). I should *never* have had to write
> that for myself.

I'm told the latest versions have that (at last). Haven't checked it myself yet.

More information about the p11-glue mailing list