On Fri, 2020-01-31 at 10:02 +1100, Damien Miller wrote: > On Thu, 30 Jan 2020, James Bottomley wrote: > > > Engine keys are keys whose file format is understood by a specific > > engine rather than by openssl itself. Since these keys are file > > based, the pkcs11 interface isn't appropriate for them because they > > don't actually represent tokens. The current most useful engine > > for openssh keys are the TPM engines, which allow all private keys > > to be stored in a form only the TPM hardware can decode, making > > them impossible to steal. > > I think this is similar enough to the FIDO key support that we > recently added to OpenSSH that it would be best to reuse those > interfaces for these keys. FIDO keys are file based as well - the > enrollment/generation process returns a "key handle" that we bundle > up in a private key and that needs to be supplied when signing. > > Have a look at regress/misc/sk-dummy/sk-dummy.c in portable OpenSSH > for a dummy version of the API that just calls out to libcrypto. Will do ... the U2F key file is pretty similar to the engine key file. James _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
