Protecting keys using a TPM
Ben Laurie
benl at google.com
Fri Mar 8 08:22:57 PST 2013
On 8 March 2013 14:33, Stef Walter <stefw at redhat.com> wrote:
> On 03/08/2013 03:27 PM, David Woodhouse wrote:
>> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
>>
>> Merging the TPM engine would be good, and then perhaps getting to the
>> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
>> 'just work' without the application having to jump through hoops to load
>> the engine and do special things to handle callbacks. See
>> http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/openssl.c#l339 and weep.
>>
>> We also want to get to the point where applications can just use PKCS#11
>> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
>> p11-kit integration with OpenSSL? I think all we have at the moment is
>> the PKCS#11 engine (also not merged), and the p11-kit proxy?
>
> This is something I'm really interested in doing. Ben, what's the best
> way to go about it?
>
> Does it make sense to have a robust out of tree PKCS#11 engine +
> X509_STORE?
No :-) This then makes it painful for everyone who uses OpenSSL.
> Or is merging PKCS#11 support something we can pull off in
> OpenSSL if done right?
I think we can pull it off in OpenSSL.
> And if merged, does it need to be without any external dependencies?
Right now OpenSSL's only dependency (I think!) is Perl (and libc and a
C compiler). And you can probably get away without Perl if you're a
developer.
Adding a new one would be controversial - and would almost certainly
have to be optional, which would probably mean most ports turned it
off...
More information about the p11-glue
mailing list