On Wed, 2016-12-14 at 06:58 -0800, James Bottomley wrote:
> > Hm, this seems odd. If something is stored in a file then exposing it
> > through PKCS#11 doesn't make sense at all. Do not attempt to use
> > PKCS#11 for any file access.
> OK, so the horse has already left the stable on that one with TPM
> enabling gnome-keyring for ssh keys because it exports *every* key over
> pkcs11.  Since it does, I thought I'd play about with it a bit to see
> how it would work.  The below is what I found out playing around.

I think we're talking about two different things. What I mean is that a
given application shall never have to deal with files and PKCS#11 for a
given single object. Like the nss-pem horridness, where we create an
object whose CKA_LABEL is the filename, and we want the soft token to
go and load that file.

You seem to be talking about software-based PKCS#11 tokens which happen
to use their *own* files behind the scenes, but all the *application*
ever knows about is sane PKCS#11 operations. That is absolutely fine.
There's plenty of examples of that — including SoftHSM, GNOME keyring,
and NSS's softokn.

And you'll note that none of those examples need extensions to the
PKCS#8 format to store arbitrary PKCS#11 attributes such as CKA_LABEL,
CKA_PRIVATE, CKA_APPLICATION or anything else. Because it's their own
database and they can do what they like; they don't have to store it in
a PKCS#8 or similar file.

The example you give with GNOME keyring doing SSH keys is a *different*
special case. There it's automatically discovering the files in a known
location (~/.ssh/id_*) and has to infer what it can from them, but
still it's only exposing them over PKCS#11 in a standard way. There's
none of the horridness for 'here, load *this* file into the token', is
there? You can do that with ssh-add perhaps, but that's mostly
orthogonal to what we're talking about here.

> So this is the actual problem: the TPM only stores private keys.  The
> public key thing (can be simple, cert or something more fancy) isn't
> known to it.  All pkcs11 searchers find the public key in the public
> objects and then look for the private key by id and label (this is what
> the standard recommends).

Which part of the standard are you referring to? It isn't really that
prescriptive about how you look things up, as far as I was aware.

>   The problem is that the label they use isn't
> going to be the UUID, so we need the private key to be labelled by what
> its public counterpart expects to use the TPM for arbitrary keys, like
> certificate private keys (or even gpg or ssh private keys).  The UUID
> thing works for stuff that expects separate private and public key
> descriptions, like gnutls and openssl, but not for anything that uses
> the full pkcs11 protocol (like netscape).

Right, you need a full software token for stuff like NSS. But didn't
you already do that in GNOME keyring? It stores the CKO_CERTIFICATE
objects just like it always did, and now it's capable of storing the
actual private key of a CKO_PRIVATE object in TSS-wrapped form, but the
other attributes are still stored in its database just as they always

And we could make SofTHSM and NSS support the same things.

None of *that* needs to touch on the PKCS#8 storage format at all. That
is *only* relevant to the case where the application is given a *file*
with the private key it's supposed to use, and there is no PKCS#11 in

All of the above is for *wrapped* keys, of course. Not keys stored
persistently in the TPM.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to