Protecting keys using a TPM

Ben Laurie benl at
Fri Mar 8 08:22:57 PST 2013

On 8 March 2013 14:33, Stef Walter <stefw at> wrote:
> On 03/08/2013 03:27 PM, David Woodhouse wrote:
>> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
>> Merging the TPM engine would be good, and then perhaps getting to the
>> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
>> 'just work' without the application having to jump through hoops to load
>> the engine and do special things to handle callbacks. See
>> and weep.
>> We also want to get to the point where applications can just use PKCS#11
>> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
>> p11-kit integration with OpenSSL? I think all we have at the moment is
>> the PKCS#11 engine (also not merged), and the p11-kit proxy?
> This is something I'm really interested in doing. Ben, what's the best
> way to go about it?
> Does it make sense to have a robust out of tree PKCS#11 engine +
> X509_STORE?

No :-) This then makes it painful for everyone who uses OpenSSL.

> Or is merging PKCS#11 support something we can pull off in
> OpenSSL if done right?

I think we can pull it off in OpenSSL.

> And if merged, does it need to be without any external dependencies?

Right now OpenSSL's only dependency (I think!) is Perl (and libc and a
C compiler). And you can probably get away without Perl if you're a

Adding a new one would be controversial - and would almost certainly
have to be optional, which would probably mean most ports turned it

More information about the p11-glue mailing list