how to use gnutls_privkey_import_ext

Carolin Latze latze at
Sun Jun 10 11:37:28 CEST 2012

Hi Nikos,

On 06/10/2012 02:47 AM, Nikos Mavrogiannopoulos wrote:
> On 06/09/2012 12:36 PM, Carolin Latze wrote:
>> Hi all
>> I tried to port some of my really old code to a new version of GnuTLS. I
>> used a signing callback in order to let the TPM sign data. However since
>> gnutls_sign_callback_set is deprecated now I tried to move to
>> gnutls_privkey_import_ext. Here is what I did:
>> I defined an empty privkey structure (since the privkey is stored within
>> the TPM):
>> const gnutls_datum_t key = { NULL, 0 };
>> I took my old sign callback and assigned it to that structure:
>> gnutls_privkey_import_ext(&key,NULL,NULL,gnutls_tpm_sign,NULL,0);
> Hello,
>   Did you check the error code from this function? It should have failed
> because it requires a sign function and a decryption function. You also
> do not set the public key algorithm to be used and put a NULL there.
I also tried with GNUTLS_PK_RSA, but that did not help. And yeah I also 
switched on logging with a level of 15, but did not really see what the 
problem could. Well I thought it would be the pk algorithm, but as I 
said, that did not solve the problem.
> If you do not want to use decryption, then put a dummy function that
> always returns an error code and then make sure you use ciphersuites
> that require signing (DHE-RSA/ECDHE-RSA).
Ok, I will try that.
>> PKCS#11 is not really an option since that comes with some limitations
>> on the TPM...
> I see that trousers comes with a PKCS #11 module (or they claim to).
> I've never tried it, but doesn't it work?
It does. But the TPM has never been designed to meet the PKCS#11 spec, 
so it requires for instance to set some keys to NULL. I could do that 
but I need to clear and reset my TPM to do that and I was hoping that I 
could prevent that. Maybe that is the next thing I try if I don't manage 
to get the other function to work.


More information about the Gnutls-help mailing list