Protecting keys using a TPM
Stef Walter
stefw at redhat.com
Fri Mar 8 08:30:26 PST 2013
On 03/08/2013 05:22 PM, Ben Laurie wrote:
> On 8 March 2013 14:33, Stef Walter <stefw at redhat.com> wrote:
>> On 03/08/2013 03:27 PM, David Woodhouse wrote:
>>> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>>>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
>>>
>>> Merging the TPM engine would be good, and then perhaps getting to the
>>> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
>>> 'just work' without the application having to jump through hoops to load
>>> the engine and do special things to handle callbacks. See
>>> http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/openssl.c#l339 and weep.
>>>
>>> We also want to get to the point where applications can just use PKCS#11
>>> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
>>> p11-kit integration with OpenSSL? I think all we have at the moment is
>>> the PKCS#11 engine (also not merged), and the p11-kit proxy?
>>
>> This is something I'm really interested in doing. Ben, what's the best
>> way to go about it?
>>
>> Does it make sense to have a robust out of tree PKCS#11 engine +
>> X509_STORE?
>
> No :-) This then makes it painful for everyone who uses OpenSSL.
>
>> Or is merging PKCS#11 support something we can pull off in
>> OpenSSL if done right?
>
> I think we can pull it off in OpenSSL.
>
>> And if merged, does it need to be without any external dependencies?
>
> Right now OpenSSL's only dependency (I think!) is Perl (and libc and a
> C compiler). And you can probably get away without Perl if you're a
> developer.
>
> Adding a new one would be controversial - and would almost certainly
> have to be optional, which would probably mean most ports turned it
> off...
Understood. Will give this some more thought...
Cheers,
Stef
More information about the p11-glue
mailing list