On Thu, 30 Jan 2020, James Bottomley wrote: > Engine keys are keys whose file format is understood by a specific > engine rather than by openssl itself. Since these keys are file > based, the pkcs11 interface isn't appropriate for them because they > don't actually represent tokens. The current most useful engine for > openssh keys are the TPM engines, which allow all private keys to be > stored in a form only the TPM hardware can decode, making them > impossible to steal. I think this is similar enough to the FIDO key support that we recently added to OpenSSH that it would be best to reuse those interfaces for these keys. FIDO keys are file based as well - the enrollment/generation process returns a "key handle" that we bundle up in a private key and that needs to be supplied when signing. Have a look at regress/misc/sk-dummy/sk-dummy.c in portable OpenSSH for a dummy version of the API that just calls out to libcrypto. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
