Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops

From: David Woodhouse
Date: Tue Sep 18 2018 - 03:00:04 EST

On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
> Example usage for a PKCS#8 blob:
> ÂÂÂÂÂÂÂÂj=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
> ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`
> Example usage for a TPM wrapped blob:
> ÂÂÂÂÂÂÂÂopenssl genrsa -out /tmp/ 2048
> ÂÂÂÂÂÂÂÂcreate_tpm_key -s 2048 -w /tmp/ /tmp/
> ÂÂÂÂÂÂÂÂj=`openssl asn1parse -inform pem -in /tmp/ -noout |
> ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`

Those examples aren't equivalent. For the PKCS#8 blob you are first
using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
DER, presumably because you haven't added decryption support (or base64
decode) to keyctl yet.

For the TPM example though, you are also showing the *generation* of
the key, and importing it into the TPM. And then I'm confused by the
'openssl asn1parse' line there... what is that actually doing? If I run
it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
no output at all.

Attachment: smime.p7s
Description: S/MIME cryptographic signature