[PATCH 1/2] Add support for openssl engine based keys

Jakub Jelen jjelen at redhat.com
Sat Feb 1 04:43:21 AEDT 2020


On Thu, 2020-01-30 at 16:24 +0100, James Bottomley wrote:
> Engine keys are keys whose file format is understood by a specific
> engine rather than by openssl itself.  Since these keys are file
> based, the pkcs11 interface isn't appropriate for them because they
> don't actually represent tokens.

There is already tpm2-pkcs11 module which addresses the same use case
in a standard way for TPM2:

https://github.com/tpm2-software/tpm2-pkcs11

I do not think all the applications that want support for TPM2/engines
should need to implement support for engines. Especially when the
engines are to be replaced by a new providers interface in future
OpenSSL releases:

https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.



More information about the openssh-unix-dev mailing list