Protecting keys using a TPM

Ben Laurie benl at
Fri Mar 8 09:52:23 PST 2013

On 8 March 2013 16:30, Stef Walter <stefw at> wrote:
> On 03/08/2013 05:22 PM, Ben Laurie wrote:
>> On 8 March 2013 14:33, Stef Walter <stefw at> wrote:
>>> On 03/08/2013 03:27 PM, David Woodhouse wrote:
>>>> On Fri, 2013-03-08 at 14:11 +0000, Ben Laurie wrote:
>>>>> BTW, I am happy to contemplate changes to OpenSSL if they would help.
>>>> Merging the TPM engine would be good, and then perhaps getting to the
>>>> point where these "-----BEGIN TSS ENCRYPTED BLOB-----" PEM files will
>>>> 'just work' without the application having to jump through hoops to load
>>>> the engine and do special things to handle callbacks. See
>>>> and weep.
>>>> We also want to get to the point where applications can just use PKCS#11
>>>> objects by passing a PKCS#11 URL, as they can with GnuTLS. Do we have
>>>> p11-kit integration with OpenSSL? I think all we have at the moment is
>>>> the PKCS#11 engine (also not merged), and the p11-kit proxy?
>>> This is something I'm really interested in doing. Ben, what's the best
>>> way to go about it?
>>> Does it make sense to have a robust out of tree PKCS#11 engine +
>>> X509_STORE?
>> No :-) This then makes it painful for everyone who uses OpenSSL.
>>> Or is merging PKCS#11 support something we can pull off in
>>> OpenSSL if done right?
>> I think we can pull it off in OpenSSL.
>>> And if merged, does it need to be without any external dependencies?
>> Right now OpenSSL's only dependency (I think!) is Perl (and libc and a
>> C compiler). And you can probably get away without Perl if you're a
>> developer.
>> Adding a new one would be controversial - and would almost certainly
>> have to be optional, which would probably mean most ports turned it
>> off...
> Understood. Will give this some more thought...

OTOH, it might be unavoidable. I don't think it'd be that problematic
if optional - and we can think again if optionality proves to be a

> Cheers,
> Stef

More information about the p11-glue mailing list