[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

[David Woodhouse]

On Tue, 2016-11-22 at 07:44 -0800, James Bottomley wrote:
> 
> > I'm just having a look at the spec (page 151 in
> > http://www.trustedcomputinggroup.org/wp-content/uploads/TSS_1_2_Errat
> > a_A-final.pdf), and am a bit confused by the TssBlobType type.  Which 
> > is it in practice, an ENUMERATED or an INTEGER?
> 
> It's actually here:
> 
> http://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf
> 
> It's around page 101, section 10.3 the TPM_KEY12 structure.  That tells
> you what to encrypt and how to construct the encrypted part of the
> blob.  It refers to other structures, so you end up doing a bit of a
> pointer chase through the document.

The TPM_KEY12 structure is what's in the OCTET STRING (that I just
showed). But I believe we're looking at the ASN.1 on page 151 (§3.23
"Portable Data") of the TSS spec:

TssBlobType ::= ENUMERATED
{
	Key-Blob (1),    -- TCPA_KEY as returned from TPM
	PubKey-Blob (2), -- TCPA_PUBKEY as returned from TPM
	MigKey-Blob (3), -- TCPA_KEY as return from the TSP 
			Tspi_Key_CreateMigrationBlob
			In dedicated mode (see the command for details)
	SealedData-Blob (4),   -- TCPA_STORED_DATA as returned from TPM
	...
}

TssBlobType ::= INTEGER
TssBlob ::= SEQUENCE
{
	StructVersion INTEGER, -- Version of this structure; at the moment 1
	BlobType TssBlobType,  -- Type of Blob; see enum
	BlobLength INTEGER,    -- Length of Blob
	Blob OCTET STRING      -- Blob as returned from TPM (no ASN1 encoding)
}

To my knowledge nothing actually *implements* this TssBlob. Those PEM
files (like the one I just showed) only contain the OCTET STRING.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161122/9ccaff9f/attachment.bin>