[gnutls-help] GnuTLS-TPM handshake

Marcos Simó Picó marcossp at kth.se
Mon May 11 09:43:25 CEST 2015


I think the function would extract the key since the description of the function, literally says:

This function can also accept URLs at  keyfile and  certfile . In
       that case it will import the private key and certificate indicated by
       the URLs. Note that the supported URLs are the ones indicated by

And according to the TPM literature, import the key means to extract it from the TPM and send it somewhere else. Please, correct me if I’m mistaken.

Thanks for your answer Nikos.



On 08 May 2015, at 21:33, Nikos Mavrogiannopoulos <nmav at gnutls.org<mailto:nmav at gnutls.org>> wrote:

On Fri, 2015-05-08 at 12:32 +0000, Marcos Simó Picó wrote:
Hi all,

I’m trying to set up a TLS session between client and server, both
provided with a TPM and using mutual authentication. I am checking if
it is feasible to do it using X.509 certificate authentication. I
found out that GnuTLS needs to get access to the actual private key
(either importing it from its URL or directly) by executing
gnutls_certificate_set_x509_key_file(), before performing the
handshake. However, it would be interesting that the private key would
never leave the TPM chip.

What you say isn't correct. gnutls_certificate_set_x509_key_file() when
given a tpmkey URL will utilize but not extract any key. Why do you
think it would extract it?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150511/3c37c47b/attachment.html>

More information about the Gnutls-help mailing list