[gnutls-help] Using TPM with PKCS#11 applications

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 5 17:25:41 CET 2013


On Thu, Dec 5, 2013 at 3:53 PM, Thomas Habets <thomas at habets.se> wrote:
> Hi.
>
> Reading http://www.gnutls.org/manual/html_node/Hardware-security-modules-and-abstract-key-types.html
> I understand the situation to be that GnuTLS has support for TPM chips
> via libtspi,

Hello,
 The above is correct.

> and GnuTLS supports *using* PKCS#11, but doesn't support
> being used as a PKCS#11 provider. Is that right?

No. GnuTLS doesn't provide a PKCS #11 module.

> I want TPM behind a PKCS11 provider to protect SSH client keys, and
> have written a pkcs11 module that works directly with libtspi. I'm
> trying to find out if GnuTLS has code for this already:
> http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly

The trousers library provides a PKCS #11 front-end. I've never managed
to set it up though.
If you are using gnutls I'd suggest to use directly the TPM interface
or simply the TPM urls.

regards,
Nikos



More information about the Gnutls-help mailing list