I've hacked together a PKCS11 provider .so file usable with "SSH -I
the-file.so". Right now it shells out to:
openssl rsautl -sign -inkey my-key -in to-sign -out signed
and successfully logs in using this key. Next step is to instead feed
the RSA operation to the TPM chip.
Where can I find good documentation for doing simple:
1) Generate RSA key in TPM chip and give me back the SRK-sealed blob
(and the pubkey).
2) Give blob back to TPM chip and ask it to sign a server challenge.
Please correct me if these are the wrong steps.
On 15 November 2013 16:29, Ken Goldman <[email protected]> wrote:
> I'm a TPM expert, but I don't know details of the PKCS11 layer. Sorry.
> PKCS11 might layer other controls on top of the TPM.
>
> On 11/15/2013 10:35 AM, Thomas Habets wrote:
>
>>> There are controls on migration. It requires the authorization password
>>> of the parent and the migration authorization password of the key.
>>
>> For keys under the private root key, does this mean the SRK password
>> (20 null bytes) and the user PIN?
>
> From the TPM POV, assuming the SRK password (really its 20 byte
> authorization value) is zero, that's all you need. The TPM doesn't have
> an additional user PIN.
>
> PKCS11 might.
>
>> So one more password to migrate than to use, correct?
>
> The TPM needs the parent authorization to load a key, plus the key
> authorization to use the key.
>
> To migrate, you need the parent authorization and the key's migration
> authorization (different from the use authorization). The owner
> authorization is used to authorize a target.
>
>
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "[email protected]" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
