Closed rolandshoemaker closed 5 years ago
Is this the same as #380?
Whoops, yup! Must've missed this when searching for issues. On Tue, Apr 19, 2016 at 5:36 AM Pierre Phaneuf notifications@github.com wrote:
Is this the same as #380 https://github.com/google/certificate-transparency/issues/380?
— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/google/certificate-transparency/issues/1157#issuecomment-211903374
This would allow the use of HSMs/HSKs for key storage.
Given my limited research it looks like this would require adding support for setting the OpenSSL PKCS#11 engine module and loading the
EVP_PKEY
withENGINE_load_{private|public}_key
instead ofPEM_read_{Private|Public}Key
. I believe this is all you should need to be able to sign using the pseudo key objects but I'm not 100% on that...If no one has any major objections I'd be interested in taking a shot at this, I'd probably need to brush up a bunch on PKCS#11 and C++ though.