[PATCH 1/2] Add support for openssl engine based keys

James Bottomley James.Bottomley at HansenPartnership.com
Sat Feb 1 15:32:50 AEDT 2020

On Fri, 2020-01-31 at 10:02 +1100, Damien Miller wrote:
> On Thu, 30 Jan 2020, James Bottomley wrote:
> > Engine keys are keys whose file format is understood by a specific
> > engine rather than by openssl itself.  Since these keys are file
> > based, the pkcs11 interface isn't appropriate for them because they
> > don't actually represent tokens.  The current most useful engine
> > for openssh keys are the TPM engines, which allow all private keys
> > to be stored in a form only the TPM hardware can decode, making
> > them impossible to steal.
> I think this is similar enough to the FIDO key support that we
> recently added to OpenSSH that it would be best to reuse those
> interfaces for these keys. FIDO keys are file based as well - the
> enrollment/generation process returns a "key handle" that we bundle
> up in a private key and that needs to be supplied when signing.
> Have a look at regress/misc/sk-dummy/sk-dummy.c in portable OpenSSH
> for a dummy version of the API that just calls out to libcrypto.

Will do ... the U2F key file is pretty similar to the engine key file.


More information about the openssh-unix-dev mailing list