From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: openssl-dev-MCmKBN63+BlAfugRpC6u6w@public.gmane.org,
gnutls-devel-f8S/fY/i+OXSWulAQ3bEYg@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
trousers-tech-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: David Woodhouse <dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
Subject: Proposal for the ASN.1 form of TPM1.2 and TPM2 keys
Date: Fri, 23 Dec 2016 10:06:03 -0800 [thread overview]
Message-ID: <1482516363.2501.34.camel@HansenPartnership.com> (raw)
The reason this comes about is because we already have a standard form
for TPM 1.2 keys here:
http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#ident-tpm
However, since I'm working on TPM2 enabling for openssl and gnutls, I
need to come up with a new key format because TPM2 requires some extra
parameters and the original TSS KEY BLOB, being a single
ASN1_OCTET_STRING isn't expandable.
As a digression, the extra parameters that TPM2 needs are:
1. A public key blob. In TPM12 the key complex was a joint
public/private part. In TPM2, the public and private key structures
have variable length and are supplied separately.
2. a boolean for emptyAuth. In TPM12 there's a way to tell if a
structure has no authorization. In TPM2 there's no such thing as no
authorization, but there's a conventional empty authorization to
replace it but no way of querying whether any given key is using it,
so we need to know explicitly whether to prompt for a password or
not.
3. There are different forms a TPM private key could be in. One is
symmetrically encrypted with a TPM private key, which makes it
loadable, meaning it must be produced on the TPM itself and the
other is asymmetrically encrypted meaning it can be produced away
from the TPM but must be imported before being loaded.
I think there's value in having a universal structure for the key
representations, so I'm proposing an ASN1 representation that will work
for both TPM1.2 and TPM2 keys. I'd also like it to be self describing,
so I think we should use an OID as the initial parameter of the
sequence. With that, I think the format that works is
TPMKey ::= SEQUENCE {
type OBJECT IDENTIFIER
version [0] IMPLICIT INTEGER OPTIONAL
emptyAuth [1] IMPLICIT BOOLEAN OPTIONAL
parent [2] IMPLICIT INTEGER OPTIONAL
publicKey [3] IMPLICIT OCTET STRING OPTIONAL
privateKey OCTET STRING
}
Where TPM12 keys would have a TPM12Key type and use no optional fields
(meaning only privateKey) and TPM2 keys would have type TPM2LoadableKey
or TPM2ImportableKey type and then make use of all the optional fields
(except version).
Version is there for future expansion, but is unused in the initial
incarnation.
I'm torn on where to get the OIDs from. Since this is a TPM key, it
might make sense to use the TCG OID (2.23.133) and just add something
they haven't already used, like 10 for key formats, or we could go with
a pkcs OID (1.2.840.113549.1)
If we can agree on this, we can update David's document and make it a
formal RFC.
Thoughts?
James
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
next reply other threads:[~2016-12-23 18:06 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-23 18:06 James Bottomley [this message]
2016-12-23 20:12 ` Proposal for the ASN.1 form of TPM1.2 and TPM2 keys Richard Levitte
[not found] ` <20161223.211218.817856866219152234.levitte-MCmKBN63+BlAfugRpC6u6w@public.gmane.org>
2016-12-23 20:22 ` [openssl-dev] " James Bottomley
2016-12-24 13:25 ` Nikos Mavrogiannopoulos
[not found] ` <CAJU7zaKjXhKJ-3PJD6XrLW2hTixEqL0B56epbqG3trw3jmXjVg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-24 16:13 ` [gnutls-devel] " James Bottomley
2016-12-25 9:18 ` Nikos Mavrogiannopoulos
2016-12-25 18:44 ` [gnutls-devel] " James Bottomley
2016-12-25 21:08 ` Nikos Mavrogiannopoulos
2016-12-25 23:47 ` [gnutls-devel] " James Bottomley
2016-12-26 7:18 ` Nikos Mavrogianopoulos
[not found] ` <F37418F5-0ECC-4F8B-981A-2ED74FAADA51-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-26 18:13 ` [gnutls-devel] " James Bottomley
2016-12-26 20:13 ` Nikos Mavrogianopoulos
[not found] ` <671CBF50-E114-4FD1-995A-523C7B63F8D5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-29 23:57 ` [gnutls-devel] " James Bottomley
2016-12-27 15:35 ` Erwann Abalea
2016-12-30 15:40 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482516363.2501.34.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=gnutls-devel-f8S/fY/i+OXSWulAQ3bEYg@public.gmane.org \
--cc=openssl-dev-MCmKBN63+BlAfugRpC6u6w@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=trousers-tech-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.