On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote:
On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote:
> On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote:
> > Here's a quick hack to make it work by abusing the OpenSC engine
> > config, as a proof of concept. Making it work cleanly so that it
> > can be merged is left as an exercise for the reader, or perhaps an
> > interested party in one of the mailing lists I've added to Cc.
Well, you can't have the engine name hard coded ... that really needs
to be some type of parameter, which is going to be 99% of the hassle
making a proper patch ...
And of course, it shouldn't have to be specified at all. If given a PEM
file which happens to look like a TPM2 engine key, then the appropriate
engine should be invoked automatically.
Just on this particular part: I recently got annoyed with the
to use TPM keys on firefox. I did look at the tpm pkcs11 projects but
they all looked deficient to say the least, so I put together this
It's a generic engine key to pkcs11 exporter (will work for any openssl
engine) driven by a simple ini like config file. The big advantage it
has is that now I can use openssl engines with gnutls.
Nice. I like the fact that it interoperates with the key storage format
we agreed upon for the ENGINEs.
Although if you just wanted to use those keys with GnuTLS, you could
have done that directly. I already ported it all except the new
"importable" keys support.
Going the pkcs11 route is definitely the heath robinson approach, so
the direct engine route is definitely much better.