On Fri, 2018-10-05 at 09:44 +0000, Fuchs, Andreas wrote:
> Hi James, Hi David,
> 
> I put together a Wiki-Page with the most relevant information at 
> https://github.com/tpm2-software/tpm2-tss-engine/wiki/Key-templates-and-on-disk-format
> Also including things like nameAlg for the primary key and such,
> since maybe that's where we are differing right now.
> 
> There are a bunch of ??? about the tss2-engine where I'd need input from you.

My GnuTLS code mostly follows tpm2-tss-engine here, except for the
different objectAttributes when generating the parent key. That differs
in the NODA, FIXEDTPM and FIXEDPARENT flags, as discussed — and I
follow James's version here so that I can actually test VPN connections
with a valid key (which I have on disk, and has to be wrapped).

Every other part of the default parent key generation, is the same
between the engines. It's only the objectAttributes I had to change.


I'm not sure you have the 'Parent key is 0x81000001 if it exists' part
right.

The parent key is encoded in the PEM ASN.1.

If it matches 0x81xxxxxx, it's used as a key handle directly.

If not, it identifies the hierarchy under which the EC primary key is
generated. James's version defaults to TPM_RH_OWNER, but I think other
hierarchies can be specified.