[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Nikos Mavrogiannopoulos
nmav at redhat.com
Mon Nov 21 14:09:21 UTC 2016
On Mon, 2016-11-21 at 13:42 +0000, David Woodhouse wrote:
> Right. The TPM engine currently uses ----BEGIN TSS KEY BLOB-----; I
> added that a few years back (it used to just dump the binary blob
> instead). Both the TPM ENGINE and GnuTLS will load those files, as
> noted at http://www.infradead.org/openconnect/tpm.html
> The problem is that applications have to jump through special hoops
> to
> recognise the files and invoke the engine (and there's a special API
> in
> GnuTLS too). It would be good if the appropriate engine could be
> invoked *automatically*, so the crypto library just does the right
> thing without all the applications even having to *know* about it.
> (Just like GnuTLS will automatically Just Work in many situations
> when
> presented with a PKCS#11 URI instead a filename, as OpenSSL also
> should, but doesn't yet.)
Note that for TPM wrapped keys, there was no new API introduced for
gnutls. The intention is to access such keys using a special URI [0].
However, since tpm2.0 is a completely different beast, I no longer
believe on direct TPM support, without a PKCS#11 wrapper.
[0]. https://tools.ietf.org/html/draft-mavrogiannopoulos-tpmuri-01
regards,
Nikos
More information about the openssl-dev
mailing list