[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Richard Levitte
levitte at openssl.org
Wed Nov 23 10:47:34 UTC 2016
In message <1479894913.8937.58.camel at infradead.org> on Wed, 23 Nov 2016 09:55:13 +0000, David Woodhouse <dwmw2 at infradead.org> said:
dwmw2> On Wed, 2016-11-23 at 09:56 +0100, Richard Levitte wrote:
dwmw2> >
dwmw2> >
dwmw2> > dwmw2> So maybe it's just "content types" that we have handlers for, each with
dwmw2> > dwmw2> an optional PEM tag for matching, *and* an optional match function
dwmw2> > dwmw2> which is given the parsed ASN.1 and checks if it's a match.
dwmw2> >
dwmw2> > I'm not sure what you mean with a match function... but going off on
dwmw2> > a limb, how about a reference to an OpenSSL style ASN1 description?
dwmw2> > So basically, for an imaginary TSS KEY BLOB (one that actually would
dwmw2> > use that TssBlob definition we talked about earlier), these three
dwmw2> > items would be specified:
dwmw2> >
dwmw2> > "TSS KEY BLOB",
dwmw2> > ASN1_ITEM_rptr(TSS_BLOB), /* TSS_BLOB ASN1 stuff defined in engine */
dwmw2> > handler /* Essentially a d2i function */
dwmw2> >
dwmw2> > Or did you mean that the matching would also involve checking the
dwmw2> > contents of the OCTET_STRING that TSS KEY BLOBs currently are, to see
dwmw2> > if they correspond to your structures? If that's what you mean, my
dwmw2> > gut feeling tells me - and I haven't had my morning coffee yet - we're
dwmw2> > now moving into a territory where I fully expect dragons... not to
dwmw2> > mention the worries Rich expressed.
dwmw2>
dwmw2> Oh $DEITY no, not looking in the contents of the OCTET_STRING.
dwmw2> Basically I'm thinking of doing precisely what d2i_AutoPrivateKey()
dwmw2> already does, just with expanded coverage and slightly less hard-coded
dwmw2> stuff.
<snip>
dwmw2> Doing it like that would prevent any implementations (like the one in
dwmw2> the TPM engine) from being *tempted* to go prodding around in the
dwmw2> contents of OCTET STRINGs. Which is probably a feature :)
Right...
But then, embedding everything in an OCTET STRING isn't exactly a
novel idea either. How do we discern a DER encoded TSS KEY BLOB from
whatever else that had the same "novel" idea? An OCTET STRING is an
OCTET STRING is an OCTET STRING... See the dragons hovering over
there? ;-)
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list