[gnutls-help] Using TPM with PKCS#11 applications
Thomas Habets
thomas at habets.se
Thu Dec 5 17:45:36 CET 2013
On 5 December 2013 16:25, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> and GnuTLS supports *using* PKCS#11, but doesn't support
>> being used as a PKCS#11 provider. Is that right?
> No. GnuTLS doesn't provide a PKCS #11 module.
I'm not sure if you misread what I wrote. What do you mean by "PKCS #11 module"?
It looks on this illustration like it can interface with PKCS#11
providers at least:
http://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html
but I don't see evidence of being able to act as a PKCS#11 provider.
> The trousers library provides a PKCS #11 front-end. I've never managed
> to set it up though.
Do you mean libopencryptoki.so? I've deliberately chosen not to use
that one for various reasons.
> If you are using gnutls I'd suggest to use directly the TPM interface
> or simply the TPM urls.
I'm leaning more towards going over PKCS#11, maybe via p11-kit. If
nothing else so that I get the ability of using the same key pair for
SSH and SSL, if I so choose. But I'm aware of the API for using TPM
with SSL that GnuTLS has.
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "thomas at habets.pp.se" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
More information about the Gnutls-help
mailing list