Support import export TPM private keys#162
Open
shmset wants to merge 1 commit intotpm2-software:masterfrom
Open
Support import export TPM private keys#162shmset wants to merge 1 commit intotpm2-software:masterfrom
shmset wants to merge 1 commit intotpm2-software:masterfrom
Conversation
| tpk->privkeyType = ASN1_INTEGER_new(); | ||
| if (tpk->privkeyType == NULL) | ||
| goto error; | ||
| if (!ASN1_INTEGER_set_uint64(tpk->privkeyType, keydata->privatetype)) |
There was a problem hiding this comment.
@smhmeier Shouldn't the value of tpk->privkeyType be set even if the field wasn't NULL to begin with?
Contributor
Author
There was a problem hiding this comment.
@throwException Yes. You're absolutely right. I'll fix it.
| { "EC", "provider=tpm2,output=der,structure=PrivateKeyInfo", tpm2_tss_encoder_PrivateKeyInfo_der_functions }, | ||
| { "EC", "provider=tpm2,output=pem,structure=PrivateKeyInfo", tpm2_tss_encoder_PrivateKeyInfo_pem_functions }, | ||
| { "EC", "provider=tpm2,output=der,structure=type-specific", tpm2_tss_encoder_PrivateKeyInfo_der_functions }, | ||
| { "EC", "provider=tpm2,output=pem,structure=type-specific", tpm2_tss_encoder_PrivateKeyInfo_pem_functions }, |
There was a problem hiding this comment.
@smhmeier Maybe the type-specific encoder should also be enabled for RSA?
Contributor
Author
There was a problem hiding this comment.
@throwException Good suggestion. I'll add it for RSA/RSA-PSS and add some tests.
shmset
force-pushed
the
add-key-handle-serialization
branch
4 times, most recently
from
d07cffa to
5062ec9
Compare
shmset
force-pushed
the
add-key-handle-serialization
branch
2 times, most recently
from
c659361 to
bf9033c
Compare
Signed-off-by: Silas Steinhauser <silas.steinhauser@gapfruit.com>
shmset
force-pushed
the
add-key-handle-serialization
branch
from
bf9033c to
ba95826
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit adds support to export a primary key from the TPM by saving the key-type and a key handle in the ASN1 structure inside the TSS2 PRIVATE KEY. The biggest change is on line 134 in file
src/tpm2-provider-pkey.cwhere instead of simply assumingKEY_TYPE_BLOB, I check if a handle is used instead. Without it, the part that handlesKEY_TYPE_HANDLEis never called.I decided to use two additional, but optional, fields in the ASN1 structure. Another approach would be to use the existing
privkeyfield and interpret it according to theprivkeyType.The main application for this change is being able to export the key as seen in the test:
openssl ec -provider tpm2 -in "handle:${HANDLE}" -out primary_key.pemThis output file can then be used in
curlfor mTLS.