FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OpenSSL 3 and black key?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenSSL 3 and black key?

‎10-24-2025 12:41 AM
1,177 Views
Christian-R
Contributor I

Hi,

We are interested in being able to use CAAM to support OpenSSL with black keys for signing operations.

OpenSSL 3 recommends using a new interface called "Provider".

It appears there's no ready CAAM "Provider" implementation without using something like OP-TEE. Could someone confirm or deny this?

If there's no ready implementation, any suggestions, is there any official support integrating black key sign/verify operations to mbedTLS, OpenSSH, OpenGPG, etc..?

Thanks,
Christian

0 Kudos
Reply
3 Replies

‎10-27-2025 03:00 PM
1,118 Views
Christian-R
Contributor I

If possible we'd like to _not_ have to use OPTEE.
Do you know if that's possible?

Regard,
Christian

0 Kudos
Reply

‎10-29-2025 07:55 PM
1,053 Views
Harvey021
NXP TechSupport
NXP TechSupport

Have also checked with internal security team, no positive answer without OPTEE.

 

Regards

Harvey

0 Kudos
Reply

‎10-27-2025 12:58 AM
1,126 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

Hope that the section <10.4.8 OpenSSL TLS offload to OP-TEE PKCS#11 via pkcs11-provider> of UG10163.pdf be helpful.

 

Regards

Harvey

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2192363%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EOpenSSL%203%20and%20black%20key%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192363%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20interested%20in%20being%20able%20to%20use%20CAAM%20to%20support%20OpenSSL%20with%20black%20keys%20for%20signing%20operations.%3C%2FP%3E%3CP%3EOpenSSL%203%20recommends%20using%20a%20new%20interface%20called%20%22Provider%22.%3C%2FP%3E%3CP%3EIt%20appears%20there's%20no%20ready%20CAAM%20%22Provider%22%20implementation%20without%20using%20something%20like%20OP-TEE.%20Could%20someone%20confirm%20or%20deny%20this%3F%3C%2FP%3E%3CP%3EIf%20there's%20no%20ready%20implementation%2C%20any%20suggestions%2C%20%3CI%3Eis%20there%20any%20official%20support%20integrating%20black%20key%20sign%2Fverify%20operations%20to%20mbedTLS%2C%20OpenSSH%2C%20OpenGPG%2C%20etc..%3C%2FI%3E%3F%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EChristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2192363%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3Ei.MX%208%20Family%20%7C%20i.MX%208QuadMax%20(8QM)%20%7C%208QuadPlus%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2195401%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20OpenSSL%203%20and%20black%20key%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2195401%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHave%20also%20checked%20with%20internal%20security%20team%2C%20no%20positive%20answer%20without%20OPTEE.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193789%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20OpenSSL%203%20and%20black%20key%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193789%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EIf%20possible%20we'd%20like%20to%20_not_%20have%20to%20use%20OPTEE.%3CBR%20%2F%3EDo%20you%20know%20if%20that's%20possible%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegard%2C%3CBR%20%2F%3EChristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193302%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20OpenSSL%203%20and%20black%20key%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193302%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EHope%20that%20the%20section%20%26lt%3B10.4.8%20OpenSSL%20TLS%20offload%20to%20OP-TEE%20PKCS%2311%20via%20pkcs11-provider%26gt%3B%20of%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.nxp.com%2Fdocs%2Fen%2Fuser-guide%2FUG10163.pdf%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EUG10163.pdf%3C%2FA%3E%26nbsp%3Bbe%20helpful.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E