Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops

From: Denis Kenzior
Date: Tue Sep 18 2018 - 12:28:42 EST


Hi David,

On 09/18/2018 11:17 AM, David Woodhouse wrote:
On Tue, 2018-09-18 at 00:24 -0500, Denis Kenzior wrote:
Hi David,

On 09/18/2018 10:50 AM, David Howells wrote:
Denis Kenzior <denkenz@xxxxxxxxx> wrote:

openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
-out /tmp/privkey.2048.der

You can use "... -out - | ..." instead.

Aha! okay, that is even more elegant. Your openssl-fu is better than
mine :)

'grep -v ^----- | base64 -d' also works most of the time :)

You are passing the raw DER to the kernel in both cases, right? And the
kernel just happens to know that if it receives a bare OCTET-STRING
it's supposed to treat it as a TPMv1.2 key?


Short answer: right.

Long answer: The kernel runs all the registered parsers until all fail or one of them recognizes the format. All the currently supported asymmetric key formats are DER based, e.g. PKCS8, PKCS7, TPM-1.2, etc. All these have a very specific DER structure with the TPM-1.2 being the simplest format.

Regards,
-Denis