Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for URIs in PEM files #456

Merged
merged 1 commit into from
Oct 24, 2024
Merged

Add documentation for URIs in PEM files #456

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions docs/provider-pkcs11.7
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,36 @@ Examples:
\f[V]PKCS11_PROVIDER_DEBUG=file:/tmp/debug.log\f[R]
.PP
\f[V]PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2\f[R]
.SH USE IN OLDER APPLICATIONS (URIs in PEM files)
.PP
It is strongly suggested to update applications to use the new
OSSL_STORE API provided by OpenSSL 3.0 which accepts URIs to
transparenly load keys from either files or any other supported
mechanism including PKCS#11 URIs.
.PP
However, for those applications that cannot yet be changed, there is
tool to generate a \[lq]wrapper\[rq] PEM file that contains the PKCS#11
URI needed to identify a key on the a token.
.PP
This PEM file can be loaded via the clasic methods used to parse PEM/DER
representations of keys and will trigger the use of the pkcs11-provider
decoders when the provider is loaded.
An error will be returned if the provider is not pre-loaded or an older
version of OpenSSL is used.
.PP
In tools/uri2pem.py there is a sample python script that can take a key
URI and produce a PEM file that references it.
Note that storing PINs within these PEM files is not secure.
These files are not encrypted.
.PP
The follwing command can be used to list all keys on a token and print
their identifying URI:
.IP
.nf
\f[C]
openssl storeutl -keys -text pkcs11:
\f[R]
.fi
.SH EXAMPLES
.PP
openssl.cnf:
Expand Down
28 changes: 28 additions & 0 deletions docs/provider-pkcs11.7.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,34 @@ Examples:
```PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2```


USE IN OLDER APPLICATIONS (URIs in PEM files)
=============================================

It is strongly suggested to update applications to use the new
OSSL_STORE API provided by OpenSSL 3.0 which accepts URIs to
transparenly load keys from either files or any other supported
mechanism including PKCS#11 URIs.

However, for those applications that cannot yet be changed, there is
tool to generate a "wrapper" PEM file that contains the PKCS#11 URI
needed to identify a key on the a token.

This PEM file can be loaded via the clasic methods used to parse
PEM/DER representations of keys and will trigger the use of the
pkcs11-provider decoders when the provider is loaded. An error will be
returned if the provider is not pre-loaded or an older version of
OpenSSL is used.

In tools/uri2pem.py there is a sample python script that can take a key
URI and produce a PEM file that references it. Note that storing PINs
within these PEM files is not secure. These files are not encrypted.

The follwing command can be used to list all keys on a token and print
their identifying URI:

openssl storeutl -keys -text pkcs11:


EXAMPLES
========

Expand Down
Loading