On 11/18/2013 6:29 PM, Thomas Habets wrote: > I've hacked together a PKCS11 provider .so file usable with "SSH -I > the-file.so". Right now it shells out to: > openssl rsautl -sign -inkey my-key -in to-sign -out signed > and successfully logs in using this key. Next step is to instead feed > the RSA operation to the TPM chip. > > Where can I find good documentation for doing simple: > 1) Generate RSA key in TPM chip and give me back the SRK-sealed blob > (and the pubkey). > 2) Give blob back to TPM chip and ask it to sign a server challenge. > > Please correct me if these are the wrong steps.
I can only answer from the TPm POV. The TSS and PKCS11 might add some other steps. 1 - You can seal to the SRK. If you did 'take ownership', the SRK will be there. 2 - There are several commands to get the SRK public key from the TPM, but the TSS should already have it. 3 - The command to seal is ... seal. You have to specify the PCR values used to release the sealed data during unseal. These do not have to be the PCR values present at sealing time. You also have to specify the data to be sealed. Often, that's a symmetric key, but it can be any small lob. 4 - I don't understand (2). The sealed blob can't sign anything. It's your data blob encrypted by the SRK public key. ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
