Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Fri, 2016-11-25 at 08:54 +0100, Nikos Mavrogiannopoulos wrote: > On Thu, Nov 24, 2016 at 4:33 PM, David Woodhouse wrote: > > On Thu, 2016-11-24 at 14:26 +0100, Nikos Mavrogiannopoulos wrote: > > > On Wed, Nov 23, 2016 at 10:10 PM, David Woodhouse > >

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Thu, 2016-11-24 at 14:26 +0100, Nikos Mavrogiannopoulos wrote: > On Wed, Nov 23, 2016 at 10:10 PM, David Woodhouse wrote: > > > Locales is not the only thing you have to worry about. UTF-8 and UTF-16 > > > can express the same string in various (different) ways, so they

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479993631.8937.91.ca...@infradead.org> on Thu, 24 Nov 2016 13:20:31 +, David Woodhouse said: dwmw2> On Wed, 2016-11-23 at 22:33 +0100, Richard Levitte wrote: dwmw2> > That being said, though, your recommendation should probably specify dwmw2> > (after

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 22:33 +0100, Richard Levitte wrote: > That being said, though, your recommendation should probably specify > (after discussing it) exactly what keys, certs and so on should be > supported. Otherwise, everyone will have a slightly different idea of > what's reasonable and you

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

Richard Levitte skrev: (23 november 2016 22:23:18 CET) > > >David Woodhouse skrev: (23 november 2016 19:42:29 >CET) >>On Wed, 2016-11-23 at 17:00 +, Salz, Rich wrote: >>> >>> > FWIW I am perfectly content for applications *not* to >automatically

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

David Woodhouse skrev: (23 november 2016 19:42:29 CET) >On Wed, 2016-11-23 at 17:00 +, Salz, Rich wrote: >> >> > FWIW I am perfectly content for applications *not* to automatically >work >> > with such keys. Making the user jump through extra hoops to use >them >> >

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> On Tue, 2016-11-22 at 15:49 +, David Woodhouse wrote: >> On Tue, 2016-11-22 at 16:14 +0100, Richard Levitte wrote: >> > The more interesting part is when it tries to load files it guesses >> > are raw DER.  It's currently only trying a few chosen content >> > types, >> > I'm happy to add

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 17:00 +, Salz, Rich wrote: > > > FWIW I am perfectly content for applications *not* to automatically work > > with such keys. Making the user jump through extra hoops to use them > > would be perfectly fine in my book. > > oh I see.  "Users shouldn't care, it should

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> FWIW I am perfectly content for applications *not* to automatically work > with such keys. Making the user jump through extra hoops to use them > would be perfectly fine in my book. oh I see. "Users shouldn't care, it should just work" But only for some keys. Part of my I am opposed to

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 14:41 +, Peter Sylvester Edelweb wrote: > > An exemple used by the 'gem' engine. > > openssl rsa -in key.pem -text > Private-Key: (4096 bit) > modulus: >     00:c4:d9:a4:27:ea:17:10:09:35:79:89:fc:10:1f: >     01:39:34:b7:23:93:5a:61:05:af:b1:04:49:8a:68: >   >    

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 10:53 +, David Woodhouse wrote: > On Wed, 2016-11-23 at 11:47 +0100, Richard Levitte wrote: > > > > Right... > > > > But then, embedding everything in an OCTET STRING isn't exactly a > > novel idea either. How do we discern a DER encoded TSS KEY BLOB > > from whatever

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 15:21 +0100, Richard Levitte wrote: > In message <1479908025.8937.74.ca...@infradead.org> on Wed, 23 Nov 2016 > 13:33:45 +, David Woodhouse said: > > dwmw2> On Wed, 2016-11-23 at 13:13 +, Salz, Rich wrote: > dwmw2> > > But, what I get from you

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On 11/23/2016 02:33 PM, David Woodhouse wrote: > If I make a new object type which looks like a PKCS#1 RSA key but is > actually something completely different, it's *already* likely that > OpenSSL will load that new object as if it was an RSA key in some > cases. > An exemple used by the 'gem'

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> Essentially, you're suggesting that we split out the matching part of the d2i > functions and put that to good use. Or do you have some other idea, along > the lines if magic? NO. I am suggesting add one new routine that tries varies "convert to native" and returns which conversion worked.

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <2360f57bb7504a328e5517ac92e19...@usma1ex-dag1mb1.msg.corp.akamai.com> on Wed, 23 Nov 2016 13:51:03 +, "Salz, Rich" said: rsalz> rsalz> > Why is it different if we do exactly that in libcrypto? rsalz> rsalz> Because *we* are not guessing. We are telling the

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479908025.8937.74.ca...@infradead.org> on Wed, 23 Nov 2016 13:33:45 +, David Woodhouse said: dwmw2> On Wed, 2016-11-23 at 13:13 +, Salz, Rich wrote: dwmw2> > > But, what I get from you is "what if a octet stream matches two different dwmw2> > > ASN.1

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 14:26 +0100, Richard Levitte wrote: > > Quite frankly, that's a though that should go back to David and his > demand of automatic detection.  If anyone would *ever* create a raw > DER file holding a tss OCTET STRING, then the file spec *will* have to > have an indication of

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message on Wed, 23 Nov 2016 13:13:05 +, "Salz, Rich" said: rsalz> rsalz> > Uh... the d2i functions are already both in one. Are you saying they rsalz> > should be split in two, one part that

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> Uh... the d2i functions are already both in one. Are you saying they > should be split in two, one part that does all the checking and the other that > just decodes, trusting that all checks are already done? What you're gonna > do there is double part of the work. Well, not double, but

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 15:26 -0500, Thomas Francis, Jr. wrote: > On 11/22/16 2:37 PM, David Woodhouse wrote: > > And the locale / character set issue is not relevant here. ASN.1 is > > binary, PEM is ASCII. > PEM should be ASCII; in practice it is not necessarily ASCII.  There are > several

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

There is at least one real life HSM engine, that encodes numerical identifiers as "pseudo prime numbers", you end up with a RSA private key that has 1 and 2 prime numbers? No new ASN.1 Best On 11/23/2016 11:47 AM, Richard Levitte wrote: > In message <1479894913.8937.58.ca...@infradead.org>

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 11:47 +0100, Richard Levitte wrote: > > Right... > > But then, embedding everything in an OCTET STRING isn't exactly a > novel idea either.  How do we discern a DER encoded TSS KEY BLOB from > whatever else that had the same "novel" idea? An OCTET STRING is an > OCTET

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479894913.8937.58.ca...@infradead.org> on Wed, 23 Nov 2016 09:55:13 +, David Woodhouse said: dwmw2> On Wed, 2016-11-23 at 09:56 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > dwmw2> > dwmw2> So maybe it's just "content types" that we have handlers for,

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 09:56 +0100, Richard Levitte wrote: > > > dwmw2> So maybe it's just "content types" that we have handlers for, each with > dwmw2> an optional PEM tag for matching, *and* an optional match function > dwmw2> which is given the parsed ASN.1 and checks if it's a match. > > I'm

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-23 at 09:39 +0100, Tomas Mraz wrote: > > I also would not be too much worried - the API call should not be > completely universal - the application should know whether it is > loading a certificate or private key. It should just be able to use a > single call to load a certificate

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479889418.8937.54.ca...@infradead.org> on Wed, 23 Nov 2016 08:23:38 +, David Woodhouse said: dwmw2> On Tue, 2016-11-22 at 18:06 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > Actually, I agree with this, and that goes along with how our PEM dwmw2> >

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On St, 2016-11-23 at 00:03 +0100, Richard Levitte wrote: > In message <021a5d5b885845f5ab79c4420232e...@usma1ex-dag1mb1.msg.corp > .akamai.com> on Tue, 22 Nov 2016 18:03:31 +, "Salz, Rich" akamai.com> said: > > rsalz> It is already possible to write a utility library that tries >

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 18:06 +0100, Richard Levitte wrote: > > Actually, I agree with this, and that goes along with how our PEM > routines work (specifically, PEM_X509_INFO_read_bio()), it just > treats the data as an octet string and hands it down to a d2i routine > of choice, with a pointer to

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479839148.2376.31.ca...@hansenpartnership.com> on Tue, 22 Nov 2016 10:25:48 -0800, James Bottomley said: James.Bottomley> On Tue, 2016-11-22 at 18:03 +, Salz, Rich wrote: James.Bottomley> > > > It does this by trying to interpret the blob

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <021a5d5b885845f5ab79c4420232e...@usma1ex-dag1mb1.msg.corp.akamai.com> on Tue, 22 Nov 2016 18:03:31 +, "Salz, Rich" said: rsalz> It is already possible to write a utility library that tries rsalz> everything in turn, and returns an enumeration that says "seems

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On 11/22/16 2:37 PM, David Woodhouse wrote: On Tue, 2016-11-22 at 18:29 +, Salz, Rich wrote: And the locale / character set issue is not relevant here. ASN.1 is binary, PEM is ASCII. PEM should be ASCII; in practice it is not necessarily ASCII. There are several products that

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 18:29 +, Salz, Rich wrote: > > That's not the proposal. The proposal is to use PEM form because we can > > make it uniquely self describing using the guard tags which obviates the > > problem above. > > Well that's what you want. David wants more than that :) S'true

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

James.Bottomley> Yes, that's right. When any SSL program sees a TPM wrapped key, it James.Bottomley> should just do the right thing if it has the engine capability without James.Bottomley> needing the user to add any options to the command line. Mm... I'm not sure I agree

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> That's not the proposal. The proposal is to use PEM form because we can > make it uniquely self describing using the guard tags which obviates the > problem above. Well that's what you want. David wants more than that :) > On the larger issue of non-self describing formats like ASN.1: if

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 18:03 +, Salz, Rich wrote: > > > It does this by trying to interpret the blob against known ASN.1 > > > definitions, and will only succeed when there's a complete match. > > > I'm > > > not terribly worried... > > I am. With locales and UTF8, the old simple days of

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> > It does this by trying to interpret the blob against known ASN.1 > > definitions, and will only succeed when there's a complete match.  I'm > > not terribly worried... I am. With locales and UTF8, the old simple days of text/binary are probably long gone. And if any ASN.1 definition has

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 18:46 +0100, Richard Levitte wrote: > In message > <489af892b16b43ee9a7009ffe52db...@usma1ex-dag1mb1.msg.corp.akamai.com> on > Tue, 22 Nov 2016 17:40:54 +, "Salz, Rich" said: > > rsalz> > The more interesting part is when it tries to load files it

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <489af892b16b43ee9a7009ffe52db...@usma1ex-dag1mb1.msg.corp.akamai.com> on Tue, 22 Nov 2016 17:40:54 +, "Salz, Rich" said: rsalz> > The more interesting part is when it tries to load files it guesses are raw DER. rsalz> rsalz> And this part worries me. I do

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> The more interesting part is when it tries to load files it guesses are raw > DER. And this part worries me. I do not think a "security library" should be guessing. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479833048.2376.21.ca...@hansenpartnership.com> on Tue, 22 Nov 2016 08:44:08 -0800, James Bottomley said: James.Bottomley> On Tue, 2016-11-22 at 16:28 +, David Woodhouse wrote: James.Bottomley> > On Tue, 2016-11-22 at 17:21 +0100, Richard

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 16:28 +, David Woodhouse wrote: > On Tue, 2016-11-22 at 17:21 +0100, Richard Levitte wrote: > > > > dwmw2> It is *only* the OCTET STRING of the blob itself. Everything > > else is > > dwmw2> redundant anyway. > > > > Oh! Ok, that makes things much simpler (at least in

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 17:21 +0100, Richard Levitte wrote: > > dwmw2> It is *only* the OCTET STRING of the blob itself. Everything else is > dwmw2> redundant anyway. > > Oh!  Ok, that makes things much simpler (at least in a way) Kind of. But then again, there's an argument that it was none of

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479830167.8937.43.ca...@infradead.org> on Tue, 22 Nov 2016 15:56:07 +, David Woodhouse said: dwmw2> On Tue, 2016-11-22 at 16:32 +0100, Richard Levitte wrote: dwmw2> > In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov 2016 11:57:42 +,

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 17:14 +0100, Richard Levitte wrote: > > I'm sorry, I have obviously had you a bit confused.  What I'm > currently interested in is decoding the content of a 'TSS KEY BLOB' > PEM file, and I assume that's a TssBlob type, yeah? No, it's not. (Sorry!) -- dwmw2 smime.p7s

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479829450.2376.10.ca...@hansenpartnership.com> on Tue, 22 Nov 2016 07:44:10 -0800, James Bottomley said: James.Bottomley> On Tue, 2016-11-22 at 16:32 +0100, Richard Levitte wrote: James.Bottomley> > In message

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 07:44 -0800, James Bottomley wrote: > > > I'm just having a look at the spec (page 151 in > > http://www.trustedcomputinggroup.org/wp-content/uploads/TSS_1_2_Errat > > a_A-final.pdf), and am a bit confused by the TssBlobType type.  Which > > is it in practice, an ENUMERATED

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 16:32 +0100, Richard Levitte wrote: > In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov 2016 > 11:57:42 +, David Woodhouse said: > > dwmw2> Besides, it requires files in the form described by the Portable Data > dwmw2> section of

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 16:07 +0100, Richard Levitte wrote: > In message > on > Tue, 22 Nov 2016 14:42:35 +, "Salz, Rich" said: > > rsalz> > dwmw2> It should work out what the contents are for *itself*.

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 16:14 +0100, Richard Levitte wrote: > The more interesting part is when it tries to load files it guesses > are raw DER.  It's currently only trying a few chosen content types, > I'm happy to add more as time goes.  However, I suspect that nothing > in your test suite will

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 16:32 +0100, Richard Levitte wrote: > In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov > 2016 11:57:42 +, David Woodhouse said: > > dwmw2> Besides, it requires files in the form described by the > Portable Data > dwmw2> section of

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov 2016 11:57:42 +, David Woodhouse said: dwmw2> Besides, it requires files in the form described by the Portable Data dwmw2> section of the TSS (1.2) spec. That's a SEQUENCE with a blob type dwmw2> (which

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479823032.8937.37.ca...@infradead.org> on Tue, 22 Nov 2016 13:57:12 +, David Woodhouse said: dwmw2> On Tue, 2016-11-22 at 14:18 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > Just let me shamelessly mention my STORE effort again ;-) dwmw2> > Among others,

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message on Tue, 22 Nov 2016 14:42:35 +, "Salz, Rich" said: rsalz> > dwmw2> It should work out what the contents are for *itself*. Whether rsalz> > dwmw2> they be PEM, DER, PKCS#n, TPM-wrapped blobs,

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> dwmw2> It should work out what the contents are for *itself*. Whether > dwmw2> they be PEM, DER, PKCS#n, TPM-wrapped blobs, or anything else. I disagree with this approach, but that's just my opinion. I am worried about "keep trying something until it works" because you'll get strange errors

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 14:18 +0100, Richard Levitte wrote: > > Just let me shamelessly mention my STORE effort again ;-) > Among others, it does attempt to solve that very problem (in the > 'file' scheme handler). Neat. Note that I have a ready-made test suite for you in OpenConnect:

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 14:32 +0100, Richard Levitte wrote: > In message <1479820334.8937.31.ca...@infradead.org> on Tue, 22 Nov 2016 > 13:12:14 +, David Woodhouse said: > > dwmw2> On Tue, 2016-11-22 at 14:06 +0100, Richard Levitte wrote: > dwmw2> > > dwmw2> > Not sure I

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479820334.8937.31.ca...@infradead.org> on Tue, 22 Nov 2016 13:12:14 +, David Woodhouse said: dwmw2> On Tue, 2016-11-22 at 14:06 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > Not sure I follow...  'file=/foo/bar/key.pem' is just a path / dwmw2> >

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479820158.8937.29.ca...@infradead.org> on Tue, 22 Nov 2016 13:09:18 +, David Woodhouse said: dwmw2> On Tue, 2016-11-22 at 12:54 +, Salz, Rich wrote: dwmw2> > > would much rather have seen a patch where OpenSSL's PEM module is dwmw2> > > tought to

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 14:06 +0100, Richard Levitte wrote: > > Not sure I follow...  'file=/foo/bar/key.pem' is just a path / > parameter that the 'tpmkey' handler is free to interpret in whatever > way it sees fit.  For me as a user, it's just a string.  For all I > care, the URI could just as

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 12:54 +, Salz, Rich wrote: > > would much rather have seen a patch where OpenSSL's PEM module is > > tought to recognise 'BEGIN TSS KEY BLOB', pull out the blob from it, > > securing > > Yes, that would be much more consistent with the existing OpenSSL > code which --

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov 2016 11:57:42 +, David Woodhouse said: dwmw2> On Mon, 2016-11-21 at 13:50 +, Blumenthal, Uri - 0553 - MITLL dwmw2> wrote: dwmw2> > Frankly, I think this approach of specially-encoded PEM or DER files

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

> would much rather have seen a patch where OpenSSL's PEM module is > tought to recognise 'BEGIN TSS KEY BLOB', pull out the blob from it, securing Yes, that would be much more consistent with the existing OpenSSL code which -- like it or not -- works that way. > My vote goes to a URI based

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Tue, 2016-11-22 at 13:48 +0100, Richard Levitte wrote: > Mm...  I'm not sure I agree with the method, passing a BIO for the > key_id.  I would much rather have seen a patch where OpenSSL's PEM > module is tought to recognise 'BEGIN TSS KEY BLOB', pull out the blob > from it, securing it somehow

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

In message <1479744347.2309.21.ca...@hansenpartnership.com> on Mon, 21 Nov 2016 08:05:47 -0800, James Bottomley said: James.Bottomley> On Mon, 2016-11-21 at 13:42 +, David Woodhouse wrote: James.Bottomley> > On Wed, 2016-11-16 at 19:07 +0100, Richard

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

gt;   Original Message   uri> From: David Woodhouse uri> Sent: Monday, November 21, 2016 08:43 uri> To: Richard Levitte; openssl-dev@openssl.org uri> Reply To: openssl-dev@openssl.org uri> Cc: James Bottomley uri> Subject: Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Mon, 2016-11-21 at 13:42 +, David Woodhouse wrote: > On Wed, 2016-11-16 at 19:07 +0100, Richard Levitte wrote: > > > > Many years ago, I was thinking of something along the same lines, > > but with a .pem file that would just have a few headers, holding > > the name of the intended

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Mon, 2016-11-21 at 13:42 +, David Woodhouse wrote: > Right. The TPM engine currently uses BEGIN TSS KEY BLOB-; I > added that a few years back (it used to just dump the binary blob > instead). Both the TPM ENGINE and GnuTLS will load those files, as > noted at

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

  From: David Woodhouse Sent: Monday, November 21, 2016 08:43 To: Richard Levitte; openssl-dev@openssl.org Reply To: openssl-dev@openssl.org Cc: James Bottomley Subject: Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl On Wed, 2016-11-16 at 19:07 +0100

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, 2016-11-16 at 19:07 +0100, Richard Levitte wrote: > > Many years ago, I was thinking of something along the same lines, but > with a .pem file that would just have a few headers, holding the name > of the intended engine and the key identity, something like this: > >     -BEGIN

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

Thank you! I think I understand. (Sounds like an ugly and hardly necessary complication to me – not to mention that there might not be a filesystem to keep those around, but…) — Regards, Uri On 11/16/16, 5:06 PM, "openssl-dev on behalf of Dr. Stephen Henson"

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

On Wed, Nov 16, 2016, Richard Levitte wrote: > If I understand correctly, the intention is to avoid having to use > ENGINE_load_private_key() directly or having to say '-keyform ENGINE' > to the openssl commands, and to avoid having to remember some cryptic > key identity to give with '-key'.

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

If I understand correctly, the intention is to avoid having to use ENGINE_load_private_key() directly or having to say '-keyform ENGINE' to the openssl commands, and to avoid having to remember some cryptic key identity to give with '-key'. Instead of all that, just give the name of a .pem file

Re: [openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

My apologies – I don’t fully understand “file based engine keys”. I thought the keys were either on a hardware device (a TPM, a PKCS#11-accessible HSM or smartcard, etc), or in a file. If a key is in a file – it’s not an “engine key”. What am I missing, and what’s your use case(s)? — Regards,