>>> $ openssl dgst -engine pkcs11 -keyform engine -verify >> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt >> >> The current implementation of engine_pkcs11 seems to work with private >> keys and certificates only. I've added a fix in engine_pkcs11, but it >> seems that public key types were never tested for PKCS#11 URLs. > >Yes, mea culpa. I added the basic PKCS#11 URI parsing, and failed to >test it with public keys.
Could you please point me at the code that needs fixing? I’m trying to accomplish two goals: - make all (most of?) the openssl commands work with “pkcs11:…” URL; - make openssl (through engine_pkcs11) to stop prompting for the PIN to access public keys. >I still suspect we should be using p11kit and not reimplementing the >PKCS#11 URI parsing for ourselves. But really I want the whole engine >to die and PKCS#11 to be supported as a first-class citizen within >OpenSSL in crypto/p11/... In the ideal world - yes. As it is though, I think we'd better get engine_pkcs11 fixed. ;)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
