On 2009.07.01 at 09:02:38 -0400, Russell Leake (leaker) wrote: > Hello all, > I'm trying to create an engine which interfaces to an HSM. I > have successfully created a skeleton for my engine but I'm running into > a fundamental problem with the argument "privkey." An example might > help tee up the question. The command "rsautl -sign" requires the > argument "-inkey". While this makes sense if I'm invoking openssl with > a local private key file, I'm having trouble understanding how this > would fit in when the key is held remotely (HSM). I've seen a reference
It might be that HSM can store several keys. So some key identifier have to be passed to ENGINE_load_private_key function. This function have following prototype: EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data) and calls function with same prototype from your engine. String you are specifying as argument to -inkey option is passed to this function as key_id parameter, if you specify that key format is ENGINE. How this string is formatted and what information it contains, is up to you. In one of our engines, which support several diffenent hardware key storage devices, we use string which contains device type, either hardware device id or name of key container stored on the device and specifier of key within container. For instance VJUGA:060023.S means key stored on the VJUGA device with hardware ID 060023 as 'S' (signature) key and VJUGA=mycontainer.S means key stored on the VJUGA device which contains container named "mycontainer". Of course, only thing engine can do if inserted device has wrong serial number or doesn't contain a container with specified name is to return an error. In other engine we use just number as key identifier, because this engine supports only one type of storage, but this storage has 32K bytes to store keys, and can contain dozens of keys. > that the private key file can be a "pointer" so that the engine/HSM can > address the appropriate key (label). > I would have thought that all external arguments would have been > passed when the engine is referenced through -pre. But, maybe there is > an easier way. Note that it is quite complicated for user to use -pre. Typically user just specifies engine. And commands are read from the configuration file where there is a section which descirbes your engine. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
