Hi Ashok, On Wed, Dec 5, 2012 at 12:29 AM, Ashok C <ash....@gmail.com> wrote: > Hi, > > Our current SSL server loads plain-text private keys using the > SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to > use custom encrypted private keys using the TPM concept. For this, we have > an engine implemented. Now the question is this. > > Does my SSL server need to change from loading private keys using > SSL_CTX_use_PrivateKey_file() method to use this method --> > ENGINE_load_private_key(ENGINE *e, const char *key_id, > > UI_METHOD *ui_method, void *callback_data) > > > Or can this be achieved by using the SSL_CTX_use_PrivateKey_file() method > itself and the openssl takes care of loading my encrypted private key with > the help of my implemented engine. Basically wanted to understand if the > SSL_CTX method for loading private keys has the support for loading engine > specific keys.
Last I knew there were two ways to get your TPM key loaded through an engine. Directly in your app, using code like: ENGINE_by_id(); ENGINE_init(); ENGINE_set_default_RSA(); ENGINE_load_private_key(); ... (use key ... and indirectly by using an openssl-config enabled app, and the RSA_* APIs to load the key. Basically in this case you have a system openssl config that you've added something like: --[cut]-- openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] foo = tpm_section [tpm_section] dynamic_path = /usr/local/ssl/lib/engines/libtpm.so engine_id = tpm default_algorithms = RAND,RSA init = 1 --[cut]-- then your app needs to be compiled with -DOPENSSL_LOAD_CONF=1, which triggers hooks in RSA_* apis which will read the config file and redirect key loading to your engine. Kent > > -- > > Ashok > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org