On Mon, 2016-11-21 at 13:42 +0000, David Woodhouse wrote: > Right. The TPM engine currently uses ----BEGIN TSS KEY BLOB-----; I > added that a few years back (it used to just dump the binary blob > instead). Both the TPM ENGINE and GnuTLS will load those files, as > noted at http://www.infradead.org/openconnect/tpm.html > The problem is that applications have to jump through special hoops > to > recognise the files and invoke the engine (and there's a special API > in > GnuTLS too). It would be good if the appropriate engine could be > invoked *automatically*, so the crypto library just does the right > thing without all the applications even having to *know* about it. > (Just like GnuTLS will automatically Just Work in many situations > when > presented with a PKCS#11 URI instead a filename, as OpenSSL also > should, but doesn't yet.)
Note that for TPM wrapped keys, there was no new API introduced for gnutls. The intention is to access such keys using a special URI [0]. However, since tpm2.0 is a completely different beast, I no longer believe on direct TPM support, without a PKCS#11 wrapper. [0]. https://tools.ietf.org/html/draft-mavrogiannopoulos-tpmuri-01 regards, Nikos -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev