* Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-17 17:03 David Woodhouse
0 siblings, 0 replies; 6+ messages in thread
From: David Woodhouse @ 2018-10-17 17:03 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 542 bytes --]
On Wed, 2018-10-17 at 16:09 +0000, Roberts, William C wrote:
> I wish I could fully appreciate what you're saying here. I don't know
> squat about
> PKCS#11 URIs or where how you specify them.
Unless you're the type who'd prefer to read RFC7512, a suitable primer
might be http://www.infradead.org/openconnect/pkcs11.html — it talks
you through using URIs from the user point of view.
The point I was making about Fedora is that this stuff should mostly
JustWork™ there, which means you only have to get your head round how
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-17 16:09 Roberts, William C
0 siblings, 0 replies; 6+ messages in thread
From: Roberts, William C @ 2018-10-17 16:09 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1284 bytes --]
> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2(a)infradead.org]
> Sent: Wednesday, October 17, 2018 8:56 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; Fuchs,
> Andreas <andreas.fuchs(a)sit.fraunhofer.de>; Chetty, Jay
> <jay.chetty(a)intel.com>
> Subject: Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
>
> On Wed, 2018-10-17 at 15:51 +0000, Roberts, William C wrote:
> > Oh duh, I forgot about that engine.
> >
> > + Jay who was working on stuff.
> >
> > FYI for others.
> > The engine is in P11 now:
> > https://github.com/OpenSC/libp11
> >
> > The engine is in this Ubuntu package:
> > apt-file search libpkcs11.so
> > libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so
>
> I'd strongly recommend doing this stuff on Fedora. Packaging guidelines
> there say that packages which use key from a file SHOULD also JustWork™
> when given a PKCS#11 URI (be it by invoking the engine, or the native
> GnuTLS support for PKCS#11, etc.).
I wish I could fully appreciate what you're saying here. I don't know squat about
PKCS#11 URIs or where how you specify them.
>
> That way you can mostly focus on your own code, not other things that
> just aren't set up right.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-17 15:56 David Woodhouse
0 siblings, 0 replies; 6+ messages in thread
From: David Woodhouse @ 2018-10-17 15:56 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 727 bytes --]
On Wed, 2018-10-17 at 15:51 +0000, Roberts, William C wrote:
> Oh duh, I forgot about that engine.
>
> + Jay who was working on stuff.
>
> FYI for others.
> The engine is in P11 now:
> https://github.com/OpenSC/libp11
>
> The engine is in this Ubuntu package:
> apt-file search libpkcs11.so
> libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so
I'd strongly recommend doing this stuff on Fedora. Packaging guidelines
there say that packages which use key from a file SHOULD also JustWork™
when given a PKCS#11 URI (be it by invoking the engine, or the native
GnuTLS support for PKCS#11, etc.).
That way you can mostly focus on your own code, not other things that
just aren't set up right.
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-17 15:51 Roberts, William C
0 siblings, 0 replies; 6+ messages in thread
From: Roberts, William C @ 2018-10-17 15:51 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1923 bytes --]
> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2(a)infradead.org]
> Sent: Tuesday, October 16, 2018 3:19 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; Fuchs,
> Andreas <andreas.fuchs(a)sit.fraunhofer.de>
> Subject: Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
>
> On Tue, 2018-10-16 at 21:22 +0000, Roberts, William C wrote:
> > Use case:
> > Create a certificate or CSR with tpm2-tss-engine for adding a
> > certificate to the PKCS11 engine.
>
> I don't quite understand this. If you have the key in the PKCS#11 token
> and you want to generate a CSR, why wouldn't you just use that with the
> OpenSSL PKCS#11 engine? e.g.
>
> $ openssl req -engine pkcs11 -keyform engine -key 'pkcs11:token=label;id=%01'
Oh duh, I forgot about that engine.
+ Jay who was working on stuff.
FYI for others.
The engine is in P11 now:
https://github.com/OpenSC/libp11
The engine is in this Ubuntu package:
apt-file search libpkcs11.so
libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so
>
> Or with GnuTLS instead perhaps, since it has built-in PKCS#11 support
> and you don't have to muck around with those horrid OpenSSL engines at
> all :)
>
> $ certtool --generate-request --load-privkey 'pkcs11:token=label;id=%01'
>
>
> But hey, it would be great for these things to be interoperable, and
> for it to be possible to export a key from your PKCS#11 provider to the
> PEM format so that it can be used with the engine — or perhaps more
> usefully, import a PEM key created with the engine into the PKCS#11
> token. Don't let me dissuade you from doing that!
>
> For reading/writing the PEM files you can look at tpm2tss_data_write()
> and tpm2tss_data_read() in tpm2-tss-engine-common.c:
> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-
> engine-common.c
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-16 22:18 David Woodhouse
0 siblings, 0 replies; 6+ messages in thread
From: David Woodhouse @ 2018-10-16 22:18 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]
On Tue, 2018-10-16 at 21:22 +0000, Roberts, William C wrote:
> Use case:
> Create a certificate or CSR with tpm2-tss-engine for adding a
> certificate to the PKCS11 engine.
I don't quite understand this. If you have the key in the PKCS#11 token
and you want to generate a CSR, why wouldn't you just use that with the
OpenSSL PKCS#11 engine? e.g.
$ openssl req -engine pkcs11 -keyform engine -key 'pkcs11:token=label;id=%01'
Or with GnuTLS instead perhaps, since it has built-in PKCS#11 support
and you don't have to muck around with those horrid OpenSSL engines at
all :)
$ certtool --generate-request --load-privkey 'pkcs11:token=label;id=%01'
But hey, it would be great for these things to be interoperable, and
for it to be possible to export a key from your PKCS#11 provider to the
PEM format so that it can be used with the engine — or perhaps more
usefully, import a PEM key created with the engine into the PKCS#11
token. Don't let me dissuade you from doing that!
For reading/writing the PEM files you can look at tpm2tss_data_write()
and tpm2tss_data_read() in tpm2-tss-engine-common.c:
https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-common.c
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
@ 2018-10-16 21:22 Roberts, William C
0 siblings, 0 replies; 6+ messages in thread
From: Roberts, William C @ 2018-10-16 21:22 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 539 bytes --]
Use case:
Create a certificate or CSR with tpm2-tss-engine for adding a certificate to the PKCS11 engine.
Environment:
The key already exists generated outside of the tpm2-tss-engine code, the child key is loaded and requires an auth value.
Discussion:
It looks as though the discussion around the PEM format on the wiki page has some of the support, but there is no tool I see to take
In the information and perhaps spit out a PEM file for usage. Is their examples on how to do that or do we have to create a tool for this?
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-17 17:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-17 17:03 [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11 David Woodhouse
-- strict thread matches above, loose matches on Subject: below --
2018-10-17 16:09 Roberts, William C
2018-10-17 15:56 David Woodhouse
2018-10-17 15:51 Roberts, William C
2018-10-16 22:18 David Woodhouse
2018-10-16 21:22 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.