Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

On Wed, 2018-10-17 at 16:09 +0000, Roberts, William C wrote:
> I wish I could fully appreciate what you're saying here. I don't know
> squat about
> PKCS#11 URIs or where how you specify them.

Unless you're the type who'd prefer to read RFC7512, a suitable primer
might be http://www.infradead.org/openconnect/pkcs11.html — it talks
you through using URIs from the user point of view.

The point I was making about Fedora is that this stuff should mostly
JustWork™ there, which means you only have to get your head round how 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]

Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1284 bytes --]



> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2(a)infradead.org]
> Sent: Wednesday, October 17, 2018 8:56 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; Fuchs,
> Andreas <andreas.fuchs(a)sit.fraunhofer.de>; Chetty, Jay
> <jay.chetty(a)intel.com>
> Subject: Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
> 
> On Wed, 2018-10-17 at 15:51 +0000, Roberts, William C wrote:
> > Oh duh, I forgot about that engine.
> >
> > + Jay who was working on stuff.
> >
> > FYI for others.
> > The engine is in P11 now:
> > https://github.com/OpenSC/libp11
> >
> > The engine is in this Ubuntu package:
> > apt-file search libpkcs11.so
> > libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so
> 
> I'd strongly recommend doing this stuff on Fedora. Packaging guidelines
> there say that packages which use key from a file SHOULD also JustWork™
> when given a PKCS#11 URI (be it by invoking the engine, or the native
> GnuTLS support for PKCS#11, etc.).

I wish I could fully appreciate what you're saying here. I don't know squat about
PKCS#11 URIs or where how you specify them.

> 
> That way you can mostly focus on your own code, not other things that
> just aren't set up right.

Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 727 bytes --]

On Wed, 2018-10-17 at 15:51 +0000, Roberts, William C wrote:
> Oh duh, I forgot about that engine.
> 
> + Jay who was working on stuff.
> 
> FYI for others.
> The engine is in P11 now:
> https://github.com/OpenSC/libp11
> 
> The engine is in this Ubuntu package:
> apt-file search libpkcs11.so
> libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so

I'd strongly recommend doing this stuff on Fedora. Packaging guidelines
there say that packages which use key from a file SHOULD also JustWork™
when given a PKCS#11 URI (be it by invoking the engine, or the native
GnuTLS support for PKCS#11, etc.).

That way you can mostly focus on your own code, not other things that
just aren't set up right.


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]

Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1923 bytes --]



> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2(a)infradead.org]
> Sent: Tuesday, October 16, 2018 3:19 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; Fuchs,
> Andreas <andreas.fuchs(a)sit.fraunhofer.de>
> Subject: Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11
> 
> On Tue, 2018-10-16 at 21:22 +0000, Roberts, William C wrote:
> > Use case:
> > Create a certificate or CSR with tpm2-tss-engine for adding a
> > certificate to the PKCS11 engine.
> 
> I don't quite understand this. If you have the key in the PKCS#11 token
> and you want to generate a CSR, why wouldn't you just use that with the
> OpenSSL PKCS#11 engine? e.g.
> 
> $ openssl req -engine pkcs11 -keyform engine -key 'pkcs11:token=label;id=%01'

Oh duh, I forgot about that engine.

+ Jay who was working on stuff.

FYI for others.
The engine is in P11 now:
https://github.com/OpenSC/libp11

The engine is in this Ubuntu package:
apt-file search libpkcs11.so
libengine-pkcs11-openssl: /usr/lib/ssl/engines/libpkcs11.so

> 
> Or with GnuTLS instead perhaps, since it has built-in PKCS#11 support
> and you don't have to muck around with those horrid OpenSSL engines at
> all :)
> 
> $ certtool --generate-request --load-privkey 'pkcs11:token=label;id=%01'
> 
> 
> But hey, it would be great for these things to be interoperable, and
> for it to be possible to export a key from your PKCS#11 provider to the
> PEM format so that it can be used with the engine — or perhaps more
> usefully, import a PEM key created with the engine into the PKCS#11
> token. Don't let me dissuade you from doing that!
> 
> For reading/writing the PEM files you can look at tpm2tss_data_write()
> and tpm2tss_data_read() in tpm2-tss-engine-common.c:
> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-
> engine-common.c
> 
> 

Re: [tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

On Tue, 2018-10-16 at 21:22 +0000, Roberts, William C wrote:
> Use case:
> Create a certificate or CSR with tpm2-tss-engine for adding a
> certificate to the PKCS11 engine.

I don't quite understand this. If you have the key in the PKCS#11 token
and you want to generate a CSR, why wouldn't you just use that with the
OpenSSL PKCS#11 engine? e.g. 

$ openssl req -engine pkcs11 -keyform engine -key 'pkcs11:token=label;id=%01'

Or with GnuTLS instead perhaps, since it has built-in PKCS#11 support
and you don't have to muck around with those horrid OpenSSL engines at
all :)

$ certtool --generate-request --load-privkey 'pkcs11:token=label;id=%01'


But hey, it would be great for these things to be interoperable, and
for it to be possible to export a key from your PKCS#11 provider to the
PEM format so that it can be used with the engine — or perhaps more
usefully, import a PEM key created with the engine into the PKCS#11
token. Don't let me dissuade you from doing that!

For reading/writing the PEM files you can look at tpm2tss_data_write()
and tpm2tss_data_read() in tpm2-tss-engine-common.c:
https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-common.c




[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]

[tpm2] tpm2-tss-engine key compatibility with tpm2-pkcs11

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

Use case:
Create a certificate or CSR with tpm2-tss-engine for adding a certificate to the PKCS11 engine.

Environment:
The key already exists generated outside of the tpm2-tss-engine code, the child key is loaded and requires an auth value.

Discussion:
It looks as though the discussion around the PEM format on the wiki page has some of the support, but there is no tool I see to take
In the information and perhaps spit out a PEM file for usage. Is their examples on  how to do that or do we have to create a tool for this?