-
|
Hello there! From I can see that we do have an "import" functionality. But it seems this "import" is more referring to "importing a PEM/DER/other-format object into memory as session object", instead of "importing a PEM/DER/other-format object into pkcs11-module" (for example loading a PEM into the soft token store), am I understanding it correct? If I understand it correct, then do we have any functionality that allows the caller to actually "import and save" an object into the pkcs11-module? I've tried the existing method to load object into session object, but it seems session objects are meant to stay in memory for the very session only, instead of "import and save it into pkcs11-module". In OpenSSL it seems Any help is appreciated! Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
At the moment we do not have a way to import a key as a token object (persistent), only as a session object (ephemeral). Import currently go via keymgmt, although arguably it would be better to have a STORE api to deal with storage. Encoders/decoders are orthogonal, they deal with format interpretation. We could add a pkcs11-provider specific OSSL_PARAM to pass into EVP_PKEY_fromdata() that will cause the creation of a token key (assuming the user is permitted to do so). Generally persistent keys are either generated on the tokens directly, or imported once off-band via tools like pkcs11-tool or pkcs11 driver specific tools, so this has not been an important feature so far. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for the info Simo!! |
Beta Was this translation helpful? Give feedback.
-
|
Sorry Simo, after half a year I've had a dumb question, since when we're importing, it's a session object that's created, so it should be similar when we're creating a new key using EVP_PKEY_generate() (assuming it has been using pkcs11-provider), am I understanding it correct? So in general besides pkcs11-provider we would need a token-specific tool to manage its creation (like you said pkcs11-tool or corresponding driver) |
Beta Was this translation helpful? Give feedback.
-
|
yes, currently pkcs11-provider is primarily targeting consumption of existing keys rather then creation. Ans specifically for SKEYs which are a new concept in OpenSSL we do not have the facilities to really manage keys via openssl, which should be done via the STORE API, but that API hasn't yet grown ability to deal with SKEYs. For the time being it is better to create persistent keys out of band in the tokne, and then just use them through pkcs11-provider |
Beta Was this translation helpful? Give feedback.
At the moment we do not have a way to import a key as a token object (persistent), only as a session object (ephemeral).
Import currently go via keymgmt, although arguably it would be better to have a STORE api to deal with storage. Encoders/decoders are orthogonal, they deal with format interpretation.
We could add a pkcs11-provider specific OSSL_PARAM to pass into EVP_PKEY_fromdata() that will cause the creation of a token key (assuming the user is permitted to do so).
Generally persistent keys are either generated on the tokens directly, or imported once off-band via tools like pkcs11-tool or pkcs11 driver specific tools, so this has not been an important feature so far.