[gnutls-help] Using TPM with PKCS#11 applications

Thomas Habets thomas at habets.se
Thu Dec 5 17:45:36 CET 2013

On 5 December 2013 16:25, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> and GnuTLS supports *using* PKCS#11, but doesn't support
>> being used as a PKCS#11 provider. Is that right?
> No. GnuTLS doesn't provide a PKCS #11 module.

I'm not sure if you misread what I wrote. What do you mean by "PKCS #11 module"?

It looks on this illustration like it can interface with PKCS#11
providers at least:
but I don't see evidence of being able to act as a PKCS#11 provider.

> The trousers library provides a PKCS #11 front-end. I've never managed
> to set it up though.

Do you mean libopencryptoki.so? I've deliberately chosen not to use
that one for various reasons.

> If you are using gnutls I'd suggest to use directly the TPM interface
> or simply the TPM urls.

I'm leaning more towards going over PKCS#11, maybe via p11-kit. If
nothing else so that I get the ability of using the same key pair for
SSH and SSL, if I so choose. But I'm aware of the API for using TPM
with SSL that GnuTLS has.

typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "thomas at habets.pp.se" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

More information about the Gnutls-help mailing list