Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, Jan 02, 2017 at 08:50:24AM -0800, James Bottomley wrote: > On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote: > > On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > > > This patch adds RSA signing for TPM2 keys. There's a limitation to > > > the way TPM2 does signing: it must recognise the OID for the > > > signature. That fails for the MD5-SHA1 signatures of the TLS/SSL > > > certificate verification protocol, so I'm using RSA_Decrypt for > > > both signing (encryption) and decryption ... meaning that this only > > > works with TPM decryption keys. It is possible to use the prior > > > code, which preserved the distinction of signing and decryption > > > keys, but only at the expense of not being able to support SSL or > > > TLS lower than 1.2 > > > > Please submit patches via github. > > Um, that's not really possible given that openssl_tpm_engine is a > sourceforge project. I obviously didn't look at it and assumed it was for openssl, not some other project. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> Really, how? By pull request, you mean one against the openssl github > account so people subscribing to that account see it, I presume? For that to > happen, the tree the patch is against must actually exist within the account, > which this one doesn't. You clone the openssl git repo, create your own branch off master, apply the diffs you are mailing to the list, and commit/push and then make a PR. Yes it's a bit of work for you. But it then becomes near-zero work for anyone on openssl to look at it. > This patch is mostly FYI, so yes, I do given that multiple mailing lists have > some interest. It's all about trade-offs. Multiple people have said multiple times that PR's are the best way to work with OpenSSL. If those other groups, individually or collectively, are higher on your priority list, that's fine. But do understand what's going on. > I'm still waiting on a reply ... I assume holidays are contributing to the > delay. > However, openssl_tpm_engine is a DCO project, so that concern is irrelevant > here. Sorry, I'll push to get the bylaws made public, is that what you need? And no, it's not irrelevant. If this is ever going to appear in OpenSSL, a CLA must be signed. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, 2017-01-02 at 17:53 +, Salz, Rich wrote: > > Um, that's not really possible given that openssl_tpm_engine is a > > sourceforge project. > > Sure it is. Really, how? By pull request, you mean one against the openssl github account so people subscribing to that account see it, I presume? For that to happen, the tree the patch is against must actually exist within the account, which this one doesn't. > You just find it easier to email patches. This patch is mostly FYI, so yes, I do given that multiple mailing lists have some interest. > This is now the second time you’ve been asked. > > And also, you had concerns about the CLA before. Have they been > resolved? If not you should probably stop. I'm still waiting on a reply ... I assume holidays are contributing to the delay. However, openssl_tpm_engine is a DCO project, so that concern is irrelevant here. James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> Um, that's not really possible given that openssl_tpm_engine is a > sourceforge project. Sure it is. You just find it easier to email patches. This is now the second time you’ve been asked. And also, you had concerns about the CLA before. Have they been resolved? If not you should probably stop. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote: > On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > > This patch adds RSA signing for TPM2 keys. There's a limitation to > > the way TPM2 does signing: it must recognise the OID for the > > signature. That fails for the MD5-SHA1 signatures of the TLS/SSL > > certificate verification protocol, so I'm using RSA_Decrypt for > > both signing (encryption) and decryption ... meaning that this only > > works with TPM decryption keys. It is possible to use the prior > > code, which preserved the distinction of signing and decryption > > keys, but only at the expense of not being able to support SSL or > > TLS lower than 1.2 > > Please submit patches via github. Um, that's not really possible given that openssl_tpm_engine is a sourceforge project. James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > This patch adds RSA signing for TPM2 keys. There's a limitation to the > way TPM2 does signing: it must recognise the OID for the signature. > That fails for the MD5-SHA1 signatures of the TLS/SSL certificate > verification protocol, so I'm using RSA_Decrypt for both signing > (encryption) and decryption ... meaning that this only works with TPM > decryption keys. It is possible to use the prior code, which preserved > the distinction of signing and decryption keys, but only at the expense > of not being able to support SSL or TLS lower than 1.2 Please submit patches via github. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev