Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops

From: David Woodhouse
Date: Tue Sep 18 2018 - 03:00:04 EST

Next message: Boris Brezillon: "Re: [PATCH v7 01/10] i3c: Add core I3C infrastructure"
Previous message: Sai Prakash Ranjan: "Re: [PATCH] tty/sysrq: Make local variable 'killer' in sysrq_handle_crash() global"
Next in thread: David Howells: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
>
> Example usage for a PKCS#8 blob:
>
> ÂÂÂÂÂÂÂÂj=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
> ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`
>
> Example usage for a TPM wrapped blob:
>
> ÂÂÂÂÂÂÂÂopenssl genrsa -out /tmp/privkey.foo.pem 2048
> ÂÂÂÂÂÂÂÂcreate_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm
> ÂÂÂÂÂÂÂÂj=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout |
> ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`

Those examples aren't equivalent. For the PKCS#8 blob you are first
using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
DER, presumably because you haven't added decryption support (or base64
decode) to keyctl yet.

For the TPM example though, you are also showing the *generation* of
the key, and importing it into the TPM. And then I'm confused by the
'openssl asn1parse' line there... what is that actually doing? If I run
it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
no output at all.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: Boris Brezillon: "Re: [PATCH v7 01/10] i3c: Add core I3C infrastructure"
Previous message: Sai Prakash Ranjan: "Re: [PATCH] tty/sysrq: Make local variable 'killer' in sysrq_handle_crash() global"
Next in thread: David Howells: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]