OK thanks, initial implementation of STORE into my pkcs11 engine (1) is ready. I am able to do this openssl storeutl -engine pkcs11 'pkcs11:objecttype=cert;object=test' and this is result: engine "pkcs11" set. 0: Certificate -----BEGIN CERTIFICATE----- MIIC/DCCAeSgAwIBAgIUDrAyYf/dMsavGGEuYMLqJxFrHOUwDQYJKoZIhvcNAQEL ... (1) https://github.com/openssl/openssl/pull/8200 On Wed, Mar 6, 2019 at 4:37 PM Richard Levitte <levitte@xxxxxxxxxxx> wrote: > What you need to do on bind is to create a whole OSSL_STORE_LOADER for > pkcs11. OSSL_STORE_LOADER_set_open only sets the opening functions, > which is expected to take a URI and parse that into something > sensible, and return a context. There are other functions to set as > well, such as the 'load', 'eof', 'error' and 'close' functions. > > The OSSL_STORE_LOADER callback set is designed to work somewhat > vaguely like the stdio API, but instead of handling a set of bytes, it > handles a set of objects, which can be whatever the OSSL_STORE API > knows how to handle. > > When you're done building the OSSL_STORE_LOADER (including a scheme > name, that's absolutely important), you hook it into libcrypto with > OSSL_STORE_register_loader(), an voilà, you should be able to do this: > > openssl storeutil -engine yourengine \ > 'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234' > > (I'm sorry, I don't know the URI scheme enough to say how to specify > that you want to get a list of all accessible certificates or other > objects) > > There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod, > and the 'file:' scheme loader is in crypto/store/loader_file.c, but > fair warning, that one is a bit more complex than you would probably > expect from the average store loader. > > Cheers, > Richard >
