On 5 December 2013 17:19, Nikos Mavrogiannopoulos <[email protected]> wrote: >> Do you mean libopencryptoki.so? I've deliberately chosen not to use >> that one for various reasons. > Would you mind sharing them?
They're on http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly * It generates at least some keys in software. * It generates migratable keys. This is hardcoded, and some people obviously want migratable keys (for backup purposes). So a fix would have to involve supporting both. * Opencryptoki has no way to send such parameters from the command line key generator to the PKCS11 library. So not only would I have to implement the setting, but the whole settings subsystem. * The code is big, because it supports a lot of features. Features I don't need or want. They get in the way of me as a user, and of me fixing the other issues. * The code is of pretty poor quality. So it seems that I could use gnutls as a layer between libtspi and my PKCS#11 provider, adding nice things like a standard tool for generating keys (tpmtool) into a standard format. It would add a dependency though, especially since e.g. Debian doesn't have a new enough gnutls. -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "[email protected]" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
