Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-04 Thread Salz, Rich 
> There were two requests: the bylaws and whether modified grant would be
> acceptable.  If, instead of an unrestricted grant in the CLA it were 
> restricted
> to relicensing to an OSI approved licence, the need to do due diligence on
> the foundation goes away.

We're not interested in changing the CLA at this time.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread Richard Levitte 
In message <1483487075.2464.59.ca...@hansenpartnership.com> on Tue, 03 Jan 2017 
15:44:35 -0800, James Bottomley  said:

James.Bottomley> On Tue, 2017-01-03 at 12:19 +0100, Richard Levitte wrote:
James.Bottomley> > ⁣There seems to be some confusion here. 
James.Bottomley> > 
James.Bottomley> > James, I understand the tpm engine as an external project, 
not part
James.Bottomley> > of the OpenSSL source proper and not intended to be. 
James.Bottomley> > 
James.Bottomley> > However, openssl-dev@openssl.org is a list focused on the 
development
James.Bottomley> > of OpenSSL proper. That makes it a bit odd to discuss the 
tpm engine
James.Bottomley> > here. Largely off topic. 
James.Bottomley> 
James.Bottomley> Fair enough.  You were cc'd since it's a modification of code 
used by
James.Bottomley> openSSL, in case there was interest.

Strictly speaking, that belongs in openssl-us...@openssl.org.

The reason I point this out is that for code that isn't meant to be
part of OpenSSL proper, the whole discussion about CLAs, licenses and
whatnot is a red herring that belongs neither here not there.  As long
as you do stuff as a separate project, YOU (collective you) decide
what license to use, let alone your contribution policy.

Of course, I do recall that there was an attempt of patches to be
applied to OpenSSL proper.  That alone is subject to our license and
our policies, if that's still interesting (I don't know if it is).  If
it is, that should be contributed as a separate patch, preferably as a
github PR (sourceforge is entirely uninteresting to us).

Me, I haven't really minded the discussion here, as long as it didn't
become confusing.  After all, it did spark some discussion around my
STORE project ;-)

Did I leave something out or is the situation clear?

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread James Bottomley 
On Wed, 2017-01-04 at 00:04 +, Matt Caswell wrote:
> 
> On 03/01/17 12:44, Salz, Rich wrote:
> > > > I'm still waiting on a reply ... I assume holidays are
> > > > contributing to the delay.
> > > > However, openssl_tpm_engine is a DCO project, so that concern
> > > > is
> > > > irrelevant here.
> > > 
> > > Sorry, I'll push to get the bylaws made public, is that what you
> > > need?
> > 
> > The OSF bylaws are now linked to from 
> > https://www.openssl.org/policies/
> 
> I can't actually see this link...am I just missing it, or did you not 
> push?


https://www.openssl.org/policies/osf-bylaws.pdf

Thanks for doing this!

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread Matt Caswell 


On 03/01/17 12:44, Salz, Rich wrote:
>>> I'm still waiting on a reply ... I assume holidays are contributing to the 
>>> delay.
>>> However, openssl_tpm_engine is a DCO project, so that concern is
>>> irrelevant here.
>>
>> Sorry, I'll push to get the bylaws made public, is that what you need?
> 
> The OSF bylaws are now linked to from https://www.openssl.org/policies/

I can't actually see this link...am I just missing it, or did you not push?

Matt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread James Bottomley 
On Tue, 2017-01-03 at 12:19 +0100, Richard Levitte wrote:
> ⁣There seems to be some confusion here. 
> 
> James, I understand the tpm engine as an external project, not part
> of the OpenSSL source proper and not intended to be. 
> 
> However, openssl-dev@openssl.org is a list focused on the development
> of OpenSSL proper. That makes it a bit odd to discuss the tpm engine
> here. Largely off topic. 

Fair enough.  You were cc'd since it's a modification of code used by
openSSL, in case there was interest.

James


> Cheers 
> Richard 
> 
> Skickat från BlueMail 
> 
> Den 2 jan. 2017 19:22, kI 19:22, "Salz, Rich" 
> skrev:
> > > Really, how?  By pull request, you mean one against the openssl
> > github
> > > account so people subscribing to that account see it, I presume? 
> > >  For
> > that to
> > > happen, the tree the patch is against must actually exist within
> > > the
> > account,
> > > which this one doesn't.
> > 
> > You clone the openssl git repo, create your own branch off master,
> > apply the diffs you are mailing to the list, and commit/push and
> > then
> > make a PR.  Yes it's a bit of work for you.  But it then becomes
> > near-zero work for anyone on openssl to look at it.
> > 
> > > This patch is mostly FYI, so yes, I do given that multiple
> > > mailing
> > lists have
> > > some interest.
> > 
> > It's all about trade-offs.  Multiple people have said multiple
> > times
> > that PR's are the best way to work with OpenSSL.  If those other
> > groups, individually or collectively, are higher on your priority
> > list,
> > that's fine.  But do understand what's going on.
> > 
> > > I'm still waiting on a reply ... I assume holidays are
> > > contributing
> > to the delay.
> > > However, openssl_tpm_engine is a DCO project, so that concern is
> > irrelevant
> > > here.
> > 
> > Sorry, I'll push to get the bylaws made public, is that what you
> > need?
> > 
> > And no, it's not irrelevant.  If this is ever going to appear in
> > OpenSSL, a CLA must be signed.
> > 
> > -- 
> > openssl-dev mailing list
> > To unsubscribe: 
> > https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread James Bottomley 
On Mon, 2017-01-02 at 18:22 +, Salz, Rich wrote:
> > I'm still waiting on a reply ... I assume holidays are contributing 
> > to the delay. However, openssl_tpm_engine is a DCO project, so that 
> > concern is irrelevant here.
> 
> Sorry, I'll push to get the bylaws made public, is that what you
> need?

There were two requests: the bylaws and whether modified grant would be
acceptable.  If, instead of an unrestricted grant in the CLA it were
restricted to relicensing to an OSI approved licence, the need to do
due diligence on the foundation goes away.

> And no, it's not irrelevant.  If this is ever going to appear in
> OpenSSL, a CLA must be signed.

It's not actually my code: I'm just updating it, so I'm unable to say
what the long term plan actually is.  I would think, though, that
hardware engines, since they're highly OS support dependent, would be
difficult to keep within openssl itself given that you want to compile
on multiple platforms.

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread Salz, Rich 
> > I'm still waiting on a reply ... I assume holidays are contributing to the 
> > delay.
> > However, openssl_tpm_engine is a DCO project, so that concern is
> > irrelevant here.
> 
> Sorry, I'll push to get the bylaws made public, is that what you need?

The OSF bylaws are now linked to from https://www.openssl.org/policies/ or 
available directly at https://www.openssl.org/policies/osf-bylaws.pdf 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-03 Thread Richard Levitte 
⁣There seems to be some confusion here. 

James, I understand the tpm engine as an external project, not part of the 
OpenSSL source proper and not intended to be. 

However, openssl-dev@openssl.org is a list focused on the development of 
OpenSSL proper. That makes it a bit odd to discuss the tpm engine here. Largely 
off topic. 

Cheers 
Richard 

Skickat från BlueMail ​

Den 2 jan. 2017 19:22, kI 19:22, "Salz, Rich"  skrev:
>> Really, how?  By pull request, you mean one against the openssl
>github
>> account so people subscribing to that account see it, I presume?  For
>that to
>> happen, the tree the patch is against must actually exist within the
>account,
>> which this one doesn't.
>
>You clone the openssl git repo, create your own branch off master,
>apply the diffs you are mailing to the list, and commit/push and then
>make a PR.  Yes it's a bit of work for you.  But it then becomes
>near-zero work for anyone on openssl to look at it.
>
>> This patch is mostly FYI, so yes, I do given that multiple mailing
>lists have
>> some interest.
>
>It's all about trade-offs.  Multiple people have said multiple times
>that PR's are the best way to work with OpenSSL.  If those other
>groups, individually or collectively, are higher on your priority list,
>that's fine.  But do understand what's going on.
>
>> I'm still waiting on a reply ... I assume holidays are contributing
>to the delay.
>> However, openssl_tpm_engine is a DCO project, so that concern is
>irrelevant
>> here.
>
>Sorry, I'll push to get the bylaws made public, is that what you need?
>
>And no, it's not irrelevant.  If this is ever going to appear in
>OpenSSL, a CLA must be signed.
>
>-- 
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread Kurt Roeckx 
On Mon, Jan 02, 2017 at 08:50:24AM -0800, James Bottomley wrote:
> On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote:
> > On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote:
> > > This patch adds RSA signing for TPM2 keys.  There's a limitation to 
> > > the way TPM2 does signing: it must recognise the OID for the 
> > > signature.  That fails for the MD5-SHA1 signatures of the TLS/SSL 
> > > certificate verification protocol, so I'm using RSA_Decrypt for 
> > > both signing (encryption) and decryption ... meaning that this only 
> > > works with TPM decryption keys.  It is possible to use the prior 
> > > code, which preserved the distinction of signing and decryption 
> > > keys, but only at the expense of not being able to support SSL or
> > > TLS lower than 1.2
> > 
> > Please submit patches via github.
> 
> Um, that's not really possible given that openssl_tpm_engine is a
> sourceforge project.

I obviously didn't look at it and assumed it was for openssl, not
some other project.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread Salz, Rich 
> Really, how?  By pull request, you mean one against the openssl github
> account so people subscribing to that account see it, I presume?  For that to
> happen, the tree the patch is against must actually exist within the account,
> which this one doesn't.

You clone the openssl git repo, create your own branch off master, apply the 
diffs you are mailing to the list, and commit/push and then make a PR.  Yes 
it's a bit of work for you.  But it then becomes near-zero work for anyone on 
openssl to look at it.

> This patch is mostly FYI, so yes, I do given that multiple mailing lists have
> some interest.

It's all about trade-offs.  Multiple people have said multiple times that PR's 
are the best way to work with OpenSSL.  If those other groups, individually or 
collectively, are higher on your priority list, that's fine.  But do understand 
what's going on.

> I'm still waiting on a reply ... I assume holidays are contributing to the 
> delay.
> However, openssl_tpm_engine is a DCO project, so that concern is irrelevant
> here.

Sorry, I'll push to get the bylaws made public, is that what you need?

And no, it's not irrelevant.  If this is ever going to appear in OpenSSL, a CLA 
must be signed.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread James Bottomley 
On Mon, 2017-01-02 at 17:53 +, Salz, Rich wrote:
> > Um, that's not really possible given that openssl_tpm_engine is a
> > sourceforge project.
> 
> Sure it is.

Really, how?  By pull request, you mean one against the openssl github
account so people subscribing to that account see it, I presume?  For
that to happen, the tree the patch is against must actually exist
within the account, which this one doesn't.

>   You just find it easier to email patches. 

This patch is mostly FYI, so yes, I do given that multiple mailing
lists have some interest.

>  This is now the second time you’ve been asked.
> 
> And also, you had concerns about the CLA before.  Have they been
> resolved?  If not you should probably stop.

I'm still waiting on a reply ... I assume holidays are contributing to
the delay.  However, openssl_tpm_engine is a DCO project, so that
concern is irrelevant here.

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread Salz, Rich 
> Um, that's not really possible given that openssl_tpm_engine is a
> sourceforge project.

Sure it is.  You just find it easier to email patches.  This is now the second 
time you’ve been asked.

And also, you had concerns about the CLA before.  Have they been resolved?  If 
not you should probably stop.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread James Bottomley 
On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote:
> On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote:
> > This patch adds RSA signing for TPM2 keys.  There's a limitation to 
> > the way TPM2 does signing: it must recognise the OID for the 
> > signature.  That fails for the MD5-SHA1 signatures of the TLS/SSL 
> > certificate verification protocol, so I'm using RSA_Decrypt for 
> > both signing (encryption) and decryption ... meaning that this only 
> > works with TPM decryption keys.  It is possible to use the prior 
> > code, which preserved the distinction of signing and decryption 
> > keys, but only at the expense of not being able to support SSL or
> > TLS lower than 1.2
> 
> Please submit patches via github.

Um, that's not really possible given that openssl_tpm_engine is a
sourceforge project.

James


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2017-01-02 Thread Kurt Roeckx 
On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote:
> This patch adds RSA signing for TPM2 keys.  There's a limitation to the
> way TPM2 does signing: it must recognise the OID for the signature. 
>  That fails for the MD5-SHA1 signatures of the TLS/SSL certificate
> verification protocol, so I'm using RSA_Decrypt for both signing
> (encryption) and decryption ... meaning that this only works with TPM
> decryption keys.  It is possible to use the prior code, which preserved
> the distinction of signing and decryption keys, but only at the expense
> of not being able to support SSL or TLS lower than 1.2

Please submit patches via github.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine

2016-12-31 Thread James Bottomley 
This patch adds RSA signing for TPM2 keys.  There's a limitation to the
way TPM2 does signing: it must recognise the OID for the signature. 
 That fails for the MD5-SHA1 signatures of the TLS/SSL certificate
verification protocol, so I'm using RSA_Decrypt for both signing
(encryption) and decryption ... meaning that this only works with TPM
decryption keys.  It is possible to use the prior code, which preserved
the distinction of signing and decryption keys, but only at the expense
of not being able to support SSL or TLS lower than 1.2

Signed-off-by: James Bottomley 

---
v2: - use TPM2_RSA_Decrypt for both decryption and signing operations
- Add authority processing
- Add TPM internal key creation
- allow persistent parents
- update to use transient connections to the TPM
---
 Makefile.am   |  12 +-
 create_tpm2_key.c | 451 +++
 e_tpm2.c  | 559 ++
 tpm2-asn.h|  59 ++
 tpm2-common.c | 175 +
 tpm2-common.h |  10 +
 6 files changed, 1264 insertions(+), 2 deletions(-)
 create mode 100644 create_tpm2_key.c
 create mode 100644 e_tpm2.c
 create mode 100644 tpm2-asn.h
 create mode 100644 tpm2-common.c
 create mode 100644 tpm2-common.h

diff --git a/Makefile.am b/Makefile.am
index 6695656..fb4f529 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,12 +2,20 @@ SUBDIRS=. test
 
 EXTRA_DIST = README  openssl.cnf.sample
 
-openssl_engine_LTLIBRARIES=libtpm.la
-bin_PROGRAMS=create_tpm_key
+openssl_engine_LTLIBRARIES=libtpm.la libtpm2.la
+bin_PROGRAMS=create_tpm_key create_tpm2_key
 openssl_enginedir=@libdir@/openssl/engines
 
 libtpm_la_LIBADD=-lcrypto -lc -ltspi
 libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
 
+libtpm2_la_LIBADD=-lcrypto -lc -ltss
+libtpm2_la_SOURCES=e_tpm2.c tpm2-common.c
+libtpm2_la_CFLAGS=-g -Werror
+
 create_tpm_key_SOURCES=create_tpm_key.c
 create_tpm_key_LDADD=-ltspi
+
+create_tpm2_key_SOURCES=create_tpm2_key.c tpm2-common.c
+create_tpm2_key_LDADD=-lcrypto -ltss
+create_tpm2_key_CFLAGS=-Werror
diff --git a/create_tpm2_key.c b/create_tpm2_key.c
new file mode 100644
index 000..ca3b38f
--- /dev/null
+++ b/create_tpm2_key.c
@@ -0,0 +1,451 @@
+/*
+ *
+ *   Copyright (C) 2016 James Bottomley 
+ *
+ *   GPLv2
+ */
+
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include "tpm2-asn.h"
+#include "tpm2-common.h"
+
+static struct option long_options[] = {
+   {"auth", 0, 0, 'a'},
+   {"help", 0, 0, 'h'},
+   {"key-size", 1, 0, 's'},
+   {"name-scheme", 1, 0, 'n'},
+   {"parent-handle", 1, 0, 'p'},
+   {"wrap", 1, 0, 'w'},
+   {0, 0, 0, 0}
+};
+
+static TPM_ALG_ID name_alg = TPM_ALG_SHA256;
+static int name_alg_size = SHA256_DIGEST_SIZE;
+
+void
+usage(char *argv0)
+{
+   fprintf(stderr, "\t%s: create a TPM key and write it to disk\n"
+   "\tusage: %s [options] \n\n"
+   "\tOptions:\n"
+   "\t\t-a|--auth  require a password for the key [NO]\n"
+   "\t\t-h|--help  print this help message\n"
+   "\t\t-s|--key-size  key size in bits [2048]\n"
+   "\t\t-n|--name-scheme   name algorithm to use sha1 [sha256] 
sha384 sha512\n"
+   "\t\t-p|--parent-handle persistent handle of parent key\n"
+   "\t\t-w|--wrap [file]   wrap an existing openssl PEM key\n"
+   "\nReport bugs to %s\n",
+   argv0, argv0, PACKAGE_BUGREPORT);
+   exit(-1);
+}
+
+void
+openssl_print_errors()
+{
+   ERR_load_ERR_strings();
+   ERR_load_crypto_strings();
+   ERR_print_errors_fp(stderr);
+}
+
+int
+openssl_write_tpmfile(const char *file, BYTE *pubkey, int pubkey_len,
+ BYTE *privkey, int privkey_len, int empty_auth,
+ TPM_HANDLE parent)
+{
+   TSSLOADABLE tssl;
+   BIO *outb;
+
+   /* clear structure so as not to have to set optional parameters */
+   memset(, 0, sizeof(tssl));
+   if ((outb = BIO_new_file(file, "w")) == NULL) {
+fprintf(stderr, "Error opening file for write: %s\n", file);
+   return 1;
+   }
+   tssl.type = OBJ_txt2obj(OID_loadableKey, 1);
+   tssl.emptyAuth = empty_auth;
+   if ((parent & 0xff00) == 0x8100) {
+   tssl.parent = ASN1_INTEGER_new();
+   ASN1_INTEGER_set(tssl.parent, parent);
+   }
+   tssl.pubkey = ASN1_OCTET_STRING_new();
+   ASN1_STRING_set(tssl.pubkey, pubkey, pubkey_len);
+   tssl.privkey = ASN1_OCTET_STRING_new();
+   ASN1_STRING_set(tssl.privkey, privkey, privkey_len);
+
+   PEM_write_bio_TSSLOADABLE(outb, );
+   BIO_free(outb);
+   return 0;
+}
+
+EVP_PKEY *
+openssl_read_key(char *filename)
+{
+BIO *b = NULL;