[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
James Bottomley
James.Bottomley at HansenPartnership.com
Wed Nov 23 15:23:09 UTC 2016
On Wed, 2016-11-23 at 10:53 +0000, David Woodhouse wrote:
> On Wed, 2016-11-23 at 11:47 +0100, Richard Levitte wrote:
> >
> > Right...
> >
> > But then, embedding everything in an OCTET STRING isn't exactly a
> > novel idea either. How do we discern a DER encoded TSS KEY BLOB
> > from whatever else that had the same "novel" idea? An OCTET STRING
> > is an OCTET STRING is an OCTET STRING... See the dragons hovering
> > over there? ;-)
>
> We don't. Crap like that is auto-detected in PEM form only. And yes,
> it *really* should have used the TssBlob structure, not just the
> OCTET STRING.
Well, not that I'm advocating doing this, but for TPM keys we actually
can. The binary content is recognisable even if it just contains a
TPM_KEY12 structure. The first two bytes are a fixed tag, the second
two must be zero and then we have a set of flags and length fields with
fairly restricted value ranges. The encrypted private key, authority
and hashes are at the end, so there's an effective and quite long
header at the beginning. For an RSA2048 key, the structure will always
be 559 bytes long as well.
However, to get back to the plan: you want an additional "do I
recognise this PEM" file callback instead of a "try this bio" one. I
can code that up and see what it looks like.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5100 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161123/dfed90fb/attachment-0001.bin>
More information about the openssl-dev
mailing list