As you probably already know, a new OpenSSL 3.0 is under development, which will heavily
change the API for integrating external cipher providers, such as the TPM2.
"Engines" will be replaced by "Providers".
To pioneer this change I refactored the tpm2-tss-engine into a Provider, which is now
available as a new project:
It works with the latest OpenSSL master branch (to be openssl-3.0.0-alpha13) only.
The TPM2 Provider retains most functions of the TPM2 Engine (ECC is yet to be implemented)
and preserves the 'TSS2 PRIVATE KEY' file format. In addition to that, the new API
enabled some cool features, such as signatures using a restricted signing key or a direct
usage of handles to persistent keys. A full list of currently available features is in the
project README.md file.
Are there any other TPM2 features that should be available via the OpenSSL 3.0?
Right now the OpenSSL 3.0 is in an "alfa" phase, which allows API changes. This
is an ongoing opportunity for us to make sure the OpenSSL API has all the functions the
TPM2 needs, because the integration is not always straightforward. Once a "beta"
phase is reached only bug fixes will be allowed and new features or breaking changes will
have to wait. Thus, we should integrate and test as much as we can before the OpenSSL
Please, review the README.md and/or test the Provider (project tpm2-openssl) and create a
new GitHub Issue if you are missing something or if something does not work as expected.
Of course, other feedback is welcome too.