how to use gnutls_privkey_import_ext
latze at angry-red-pla.net
Sun Jun 10 12:56:02 CEST 2012
Ok, this is what I did now: I defined a sign_func and a decrypt_func
based on the type found in abstract.h:
int gnutls_tpm_sign_func (gnutls_privkey_t key,
const gnutls_datum_t * raw_data,
gnutls_datum_t * signature);
int gnutls_tpm_decrypt_func (gnutls_privkey_t key,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext);
The decrypt func will just return -1, whereas the sign func will call
the TPM. Furthermore I create a NULL privkey:
and assigned a NULL privkey to the credentials of this session: (even if
I assign the &key here, it does not help)
gnutls_certificate_set_x509_key_mem(xcred, &ccert, NULL,
Later, after gnutls_init, I tried to import the key callbacks:
Now I see that gnutls_privkey_import_ext is executed without problems
(no errors, no segfault, valgrind just silent), but none of the
callbacks will be called. I guess I miss something during the
initialization. Do you have an idea what I miss here?
On 06/10/2012 11:58 AM, Carolin Latze wrote:
> On 06/10/2012 11:55 AM, Nikos Mavrogiannopoulos wrote:
>> On 06/10/2012 11:37 AM, Carolin Latze wrote:
>>>> Did you check the error code from this function? It should have
>>>> because it requires a sign function and a decryption function. You
>>>> do not set the public key algorithm to be used and put a NULL there.
>>> I also tried with GNUTLS_PK_RSA, but that did not help. And yeah I also
>>> switched on logging with a level of 15, but did not really see what the
>>> problem could. Well I thought it would be the pk algorithm, but as I
>>> said, that did not solve the problem.
>> Note that I didn't refer to logging but to checking the error code
>> returned by the function. If such a function fails the results are
>> inpredictable (like the crash you see). If possible send me an output of
>> valgrind with the crash to see whether an error code can be returned
>> instead of crash.
> I will try that.
>>>> I see that trousers comes with a PKCS #11 module (or they claim to).
>>>> I've never tried it, but doesn't it work?
>>> It does. But the TPM has never been designed to meet the PKCS#11 spec,
>>> so it requires for instance to set some keys to NULL. I could do that
>>> but I need to clear and reset my TPM to do that and I was hoping that I
>>> could prevent that. Maybe that is the next thing I try if I don't
>>> to get the other function to work.
>> This function works (I know it is used in windows which usually has no
>> pkcs #11), so if you have more issues let me know. Just make sure you
>> provide functions of the correct type (note that the parameters in
>> gnutls_privkey_sign_func are different than the old gnutls_sign_func).
> Aha, ok, that helps :) I will rewrite the sign callback then.
>> btw. If you manage to use the TPM with this, would be nice if you point
>> me to your code (if it is lgpl). Would be nice to have some code to
>> use TPM.
> Yeah sure.
> Help-gnutls mailing list
> Help-gnutls at gnu.org
More information about the Gnutls-help