Dmitri,
thanks for your answer. Could you (or somebody else) explain a little bit
more on the mainstream support of well-known key subject? I actually need
to support any SRK value and the well-known was only my first try,
supposing it would be the easier way.
Thanks in advance,
On Sun, May 25, 2014 at 12:39 PM, Dmitri Toubelis <
[email protected]> wrote:
> I wrote those patches for my own needs but I don't think they were
> accepted in mainstream. The mainstream also has some mechanism to use
> well-known key but I couldn't make it work, so I wrote my own
> implementation which is stripped version of mainstream. If you want to use
> it then you better build the package directly from my fork at
> https://sourceforge.net/u/dtoubelis/trousers/ci/master/tree/.
>
> Few things to keep in mind though. Make sure your openssl version is 1.0.0
> or higher. I tried it with openssl-0.9.8x and 0,9.8y and it fails because
> of some subtle bug in openssl. Make sure that library is in the correct
> place and openssl can see it. Here is an example:
>
> # openssl engine tpm -vvvv
> (tpm) TPM hardware engine support
> SO_PATH: Specifies the path to the libtspi.so shared library
> (input flags): STRING
>
> Once all this working all you need to do is to pass key file and engine
> name to openssl commands. I never tried using openssl configuration file
> myself, so I cannot tell if what you are using is correct or not.
>
> Also when creating the key, do not use SHA1 signature scheme - it is
> broken. One more thing - if you are creating TPM key in another application
> (not with the provided utility) the key must be of type LEGACY and located
> directly under SRK.
>
> Hope this helps.
>
>
> ------------------------------
>
> *From: *"Thiago A. V. Lima" <[email protected]>
> *To: *[email protected]
> *Sent: *Saturday, May 24, 2014 7:28:00 PM
> *Subject: *[TrouSerS-users] libopenssl_tpm_engine and well known secret
>
>
> Hello all.
>
> After using the patch provided here [1], I was able to create tpm keys
> using the well known secret as SRK. The problem, now, is how to do that
> when using the engine. I tried one of the patches provided by [2], but
> although the option is set in my openssl.cnf file, it's being completely
> ignored. Any help is really appreciated.
>
> Here is what I'm trying to do:
>
> openssl req -new -x509 -out caroot.pem -key caroot.key -subj REDACTED_OUT
>> -config openssl.cnf -days 365000 -keyform engine -engine tpm
>
>
> and my openssl.cnf:
>
> # Custom engine
>> engines = engines_section
>> [engines_section]
>> tpm = engine_libtpm
>> [engine_libtpm]
>> dynamic_path = /usr/local/lib/openssl/engines/libtpm.so
>> default_algorithms = ALL
>> engine_id = tpm
>> init = 1
>> WELL_KNOWN
>
>
> [1] http://sourceforge.net/p/trousers/feature-requests/38/
> [2] http://sourceforge.net/p/trousers/feature-requests/39/
>
>
> Thanks in advance,
>
> --
> Thiago Augusto V. Lima
> Computer Engineer @ CIn - UFPE - Brazil
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
>
--
Thiago Augusto V. Lima
Computer Engineer @ CIn - UFPE - Brazil
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
