[PATCH 0/6] OpenSSL PKCS#11 improvements
dwmw2 at infradead.org
Thu Dec 18 10:07:37 EST 2014
If we build with GnuTLS, PKCS#11 use is simple. You just put a standard
PKCS#11 URI¹ into the client_cert or private_key fields, and it Just
Works™. It'll search the PKCS#11 tokens which are enabled in the
system's p11-kit configuration, and find the object you require.
(It's not quite perfect though — it doesn't support using PKCS#11 for
ca_cert, and it doesn't support tokens that require a PIN. I may look at
This set of patches fixes the OpenSSL side to behave similarly, so the
configuration is be the same regardless of which crypto library you
Now, all I need to do is provide something like the following in my
These patches depend on some fixes to engine_pkcs11² in order to work,
but will fail gracefully if the old engine (or no engine) is found. The
old baroque OpenSSL-specific method of explicit configuration will also
continue to work, with both old and new engines.
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5745 bytes
Desc: not available
More information about the HostAP