Sorry about that
It is TLS and we want Root Of Trust from a non exportable, non readable Private
key on the Hardware Security Module.
By explicitly adding "-keyform ENG" s_client works perfectly.
And with cURL "--key-type ENG" also works
NodeJs crypto module has setEngine but there's no option for passing keyform.
I requested from NodeJs team as well, but if we can do something to tell
openssl "keyform is always ENG" I think maybe that would work.
-------- Original Message --------
From: Viktor Dukhovni <openssl-us...@dukhovni.org>
Sent: Sun Jun 02 18:35:37 PDT 2019
To: openssl-users@openssl.org
Subject: Re: -keyform ENG and NodeJS
On Sun, Jun 02, 2019 at 05:49:10PM -0700, Erik Madsen wrote:
> I am using a Hardware Security Module. Both s_client and cURL work fine
> due to we can use the CLI "-keyform ENG" for s_client and "--key-type
> ENG" for curl
>
> Is it possible to specify this in the openssl.cnf file instead of the CLI?
You could be a bit more explicit about whether this a TLS or some
other application. Configuration is "module"-specific.
> For testing this, the following works:
>
> openssl s_client -connect host:port -engine engineSO -keyform ENG -cert
> /path/to/signed/cert
>
>
> If we can do like this:
>
> OPENSSL_CONF=openssl.cnf openssl s_client -connect host:port -engine
> engineSO -cert /path/to/signed/cert (removed the -keyform)
>
> I think will work fine
I don't believe that the SSL "conf module" presently supports a
"command" that allows you specify the "keyform" of a private key
file. It has a "PrivateKey" "command", but this appears to be
unconditionally limited to PEM.
If anyone else knows otherwise, corrections welcome
--
Viktor.
