[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
David Woodhouse
dwmw2 at infradead.org
Tue Nov 22 16:28:07 UTC 2016
On Tue, 2016-11-22 at 17:21 +0100, Richard Levitte wrote:
>
> dwmw2> It is *only* the OCTET STRING of the blob itself. Everything else is
> dwmw2> redundant anyway.
>
> Oh! Ok, that makes things much simpler (at least in a way)
Kind of. But then again, there's an argument that it was none of your
business anyway. If it says "BEGIN TSS KEY BLOB" you hand it off to the
TPM engine and after that you really don't care about what's in it.
Once upon a time, the TPM engine wrote those TPM_KEY blobs to binary
files (no ASN.1 at all). For some reason it didn't use the TssBlob
object type, although perhaps it should.
When I started looking at it, I used the -----BEGIN TSS KEY BLOB-----
for an OCTET STRING containing *just* that the code had previously been
writing into its binary files.
If I'd been aware of the TssBlob definition at that time, I suppose I
would have used it instead of just the OCTET STRING. But I didn't.
If we write an I-D covering the TPM keys, perhaps the PEM contents
should be permitted to be *either* a raw OCTET STRING with the key
blob, OR a TssBlob object. Or maybe we should add a
----BEGIN TSS BLOB----- (without 'KEY' in it) instead?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161122/6471066a/attachment.bin>
More information about the openssl-dev
mailing list