I am currently exporing the ENGINE capabilities. The examples are quite clear about how to link OpenSSL with methods that are available in a hardware module:
- implement RSA_METHOD in MyEngine, e.g. rsaSign() wich calls rsaSign_HW()
- ENGINE_register_RSA(MyEngine)
--> OpenSSL will then automatically call that method when rsa signing is required.
- implement RSA_METHOD in MyEngine, e.g. rsaSign() wich calls rsaSign_HW()
- ENGINE_register_RSA(MyEngine)
--> OpenSSL will then automatically call that method when rsa signing is required.
So far, so good.
The gap in my understanding is how to access the private key. Assumimg that my hardware module contains a list of private keys, which cannot and shall not be exported, they will be referenced by some opaque reference or id, e.g "KEY_1"
rsaSign_HW(dataToSign,"KEY_1")
Now I need some way to configure SSL_CTX with "KEY_1" instead of the "real" key.
I'm thinking of some pseudo-code in the way:
SSL_CTX_use_certificate(ctx, cert) // certificate from PEM file as usual
SSL_CTX_use_PrivateKeyReferenceForEngine(ctx, "KEY_1")
SSL_CTX_use_PrivateKeyReferenceForEngine(ctx, "KEY_1")
Also there is a engine interface that looks promising, as takes some arbitrary keyId as parameter....
privKey = ENGINE_load_private_key(MyEngine, "KEY_1")
.. but as far as I understand, it returns the "real" key, which is not exportable.
Am I completety on the wrong track? What is the recommended technique?
Thanks for any suggestion
Fabrizio
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
