On Fri, 2017-02-03 at 02:31 +0100, Antony Vennard wrote: > sign-file documentation on kernel.org advertises the fact that > sign-file can use OpenSSL loadable engine support using pkcs#11 uri > syntax (rfc 7512) for loading private keys from hardware tokens, if > openssl loadable engine support is present. > > Unfortunately, if openssl configuration files are not loaded there is > no way (to my knowledge) for openssl to load third party pkcs#11 > libraries as specified by openssl configuration.
ENGINE_pkcs11 should be configured to load p11-kit-proxy.so as its default provider module. Any third party PKCS#11 module you want to use should be configured in p11-kit properly, and it'll then be available to well-behaved applications. Including sign-file. You should need any of the special OpenSSL config horridness.
smime.p7s
Description: S/MIME cryptographic signature
