You are specifically talking about opencryptoki, and might want to try over at opencryptoki-tech@
You need to do more than mark the keys as non-migratable, you also need to patch the token initialization to ensure that the leaf keys are also generated in TPM instead of externally. On Fri, Nov 15, 2013 at 10:14 AM, Thomas Habets <[email protected]> wrote: > On 15 November 2013 14:21, Dmitri Toubelis <[email protected]> > wrote: >> I think your concerns are ungrounded. The way TPM works is that private key >> never leaves hardware unencrypted. This applies to migrateable key too. When >> you create a migration blob it will be encrypted inside the TPM chip with >> the public key you provide. > > Right, so if I in the migration supply a public key that I have the > private key for, I have the TPM chip extract the key for me in a form > I can decrypt, correct? > > The reason I want to use the TPM chip is so that a private key cannot > be copied. Not so that it cannot be copied unless I have a certain > password or key. > I don't care if the keys are actually stored in the TPM or not. But > they should not be copyable (in a usable form), and should never be > seen by CPU or RAM in a form where they could be usefully inspected. > > It sounds to me like what I want to do is patch pkcs11-tool to always > use TSS_KEY_NOT_MIGRATABLE in its calls to CreateKey, and regenerate > my keys. Does that sounds like it would satisfy my requirements? > > I tried making my own key generator using Tspi_ calls, but following > example code on the Internet just made Tspi_Key_CreateKey() return 1, > which is not a documented return value as seen in the manpage. > > -- > typedef struct me_s { > char name[] = { "Thomas Habets" }; > char email[] = { "[email protected]" }; > char kernel[] = { "Linux" }; > char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; }; > char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; > char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; > } me_t; > > ------------------------------------------------------------------------------ > DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps > OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access > Free app hosting. Or install the open source package on any LAMP server. > Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! > http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
