[openssl-users] Using a TPM to sign CSRs
William Roberts
bill.c.roberts at gmail.com
Sat Jul 28 21:10:09 UTC 2018
On Sat, Jul 28, 2018, 09:13 Devang Kubavat <digant.kubavat at gmail.com> wrote:
> Hi Kaarhik,
>
> Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is
> OpenSSL TPM Engine. It will help to offload all crypto operation to TPM.
>
Is this for tpm2.0?
> Regards,
> Devang.
>
> On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar <kaarthik.sk at gmail.com
> > wrote:
>
>> Hello
>>
>> I need to create a key pair using a TPM (proprietary) and build a CSR and
>> sign it using it the TPM as well. Currently I dont have an engine interface
>> to talk to the TPM. I do the following:
>>
>> 1. generate key pair in the TPM. private key is kept private in the TPM
>> and public key can be obtained out of the TPM
>>
>> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
>>
>> 3. Get the hash of the CSR (X509_REQ_digest())
>>
>> 4. Pass the digest to the TPM and get back signature
>>
>> 5. Add signature to the CSR - I dont see any way to do this. Is there an
>> openssl API to perform this step? I dont think I can use X509_REQ_sign()
>> since that will use the private key provided or if I have an engine
>> interface then it will call the engine to do the signing. Is there a way to
>> call sign() and make it call my function that can do the step 4 above?
>>
>> Thanks!
>>
>> -kaarthik-
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180728/848239fa/attachment-0001.html>
More information about the openssl-users
mailing list