cURL / Mailing Lists / curl-users / Single Mail


Re: curl and HTTPS client keys in HSM (openssl ENGINE)

From: Götz Babin-Ebell <>
Date: Wed, 28 Nov 2001 12:23:14 +0100

Daniel Stenberg wrote:

Hello Daniel,

> On Wed, 28 Nov 2001, Götz Babin-Ebell wrote:
> > I want to use curl with a client key stored in a crypto box.
> Am I supposed to know what a "crypto box" is? curl works with certificates
> and keys stored in PEM format.

A "HSM" or "crypto box" is a hardware module that does cryptographic
operations. It is possible (and preferable) that it also stores the
private key.

Since the private key is not known outside the crypto box,
a compromise of the computer will not compromise the private key.

> You have two options:
> 1 - convert your key to PEM
With a HSM I have no key,
only a handle to access the key inside the box...

> 2 - make curl support your format
I'll look at it.
But it is possible this will require a change in the interface...

> > Has anybody implemented OpenSSL - Engine support in curl ?
> The "OpenSSL engine" release is supposed to be merged with the regular
> OpenSSL in the upcoming release (0.9.7). (So says their FAQ.)

> I have no idea exactly what you're referring to here though, and I don't know
> what it would take to support "OpenSSL - Engine". Could you elaborate?

At the moment the changes are few:
a change in the init of OpenSSL
and a different function to load the key...
Some changes in the configure would be required...



Goetz Babin-Ebell, TC TrustCenter AG,
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

Received on 2001-11-28