[gnutls-help] Using TPM with PKCS#11 applications

Thomas Habets thomas at habets.se
Thu Dec 5 18:37:06 CET 2013

On 5 December 2013 17:19, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> Do you mean libopencryptoki.so? I've deliberately chosen not to use
>> that one for various reasons.
> Would you mind sharing them?

They're on http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly

* It generates at least some keys in software.
* It generates migratable keys. This is hardcoded, and some people
obviously want migratable keys (for backup purposes). So a fix would
have to involve supporting both.
* Opencryptoki has no way to send such parameters from the command
line key generator to the PKCS11 library. So not only would I have to
implement the setting, but the whole settings subsystem.
* The code is big, because it supports a lot of features. Features I
don't need or want. They get in the way of me as a user, and of me
fixing the other issues.
* The code is of pretty poor quality.

So it seems that I could use gnutls as a layer between libtspi and my
PKCS#11 provider, adding nice things like a standard tool for
generating keys (tpmtool) into a standard format. It would add a
dependency though, especially since e.g. Debian doesn't have a new
enough gnutls.

typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "thomas at habets.pp.se" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

More information about the Gnutls-help mailing list