From: denkenz@gmail.com (Denis Kenzior)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
Date: Mon, 17 Sep 2018 23:34:45 -0500 [thread overview]
Message-ID: <fdee179b-cfdf-7a2b-3193-e114f0084ecb@gmail.com> (raw)
In-Reply-To: <1537253993.20009.62.camel@infradead.org>
Hi David,
On 09/18/2018 01:59 AM, David Woodhouse wrote:
> On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
>>
>> Example usage for a PKCS#8 blob:
>>
>> ????????j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
>> ??????????? keyctl padd asymmetric foo @s`
The kernel expects a raw DER formatted PKCS8 certificate. And as you
point out, keyctl doesn't grok PEM files. So, that is why this is being
done via openssl. The example above simply shows one how to import a
private key in PEM format into the kernel keys framework.
>>
>> Example usage for a TPM wrapped blob:
>>
>> ????????openssl genrsa -out /tmp/privkey.foo.pem 2048
>> ????????create_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm
>> ????????j=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout |
>> ??????????? keyctl padd asymmetric foo @s`
>
> Those examples aren't equivalent. For the PKCS#8 blob you are first
> using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
> DER, presumably because you haven't added decryption support (or base64
> decode) to keyctl yet.
To be pedantic, it converts an optionally encrypted PEM to unencrypted
DER. But yes, correct.
>
> For the TPM example though, you are also showing the *generation* of
> the key, and importing it into the TPM. And then I'm confused by the
> 'openssl asn1parse' line there... what is that actually doing? If I run
> it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
> no output at all.
>
Same thing applies as above. The kernel has no PEM parser, so the raw
DER must be passed in. openssl asn1parse line simply does that. It
strips the PEM layer leaving the raw DER.
However, now that you mention it, the actual command incantation is
wrong. It seems openssl asn1parse acts slightly different from openssl
pkcs8 and so it needs to be modified to add an extra -out parameter. So
the example incantation should be:
openssl genrsa -out /tmp/privkey.2048.pem 2048
create_tpm_key -s 2048 -w /tmp/privkey.2048.pem /tmp/privkey.2048.tpm
openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
-out /tmp/privkey.2048.der
j=`cat /tmp/privkey.2048.der | keyctl padd asymmetric tpm @u`
echo "TPM key serial is: $j"
Sorry, I should have caught this earlier.
Regards,
-Denis
next prev parent reply other threads:[~2018-09-18 4:34 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 21:54 [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops David Howells
2018-09-05 21:54 ` [PATCH 01/22] KEYS: Provide key type operations for asymmetric key ops David Howells
2018-09-05 21:54 ` [PATCH 02/22] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys David Howells
2018-09-05 21:54 ` [PATCH 03/22] KEYS: Provide missing asymmetric key subops for new key type ops David Howells
2018-10-03 19:03 ` James Morris
2018-10-05 15:39 ` David Howells
2018-09-05 21:54 ` [PATCH 04/22] KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type David Howells
2018-10-03 19:12 ` James Morris
2018-10-05 15:43 ` David Howells
2018-09-05 21:54 ` [PATCH 05/22] KEYS: Provide software public key query function David Howells
2018-10-03 19:24 ` James Morris
2018-10-05 15:51 ` David Howells
2018-10-05 16:28 ` James Morris
2018-10-05 18:23 ` James Morris
2018-10-09 15:21 ` David Howells
2018-09-05 21:54 ` [PATCH 06/22] KEYS: Allow the public_key struct to hold a private key David Howells
2018-09-05 21:55 ` [PATCH 07/22] KEYS: Implement encrypt, decrypt and sign for software asymmetric key David Howells
2018-09-05 21:55 ` [PATCH 08/22] KEYS: Implement PKCS#8 RSA Private Key parser David Howells
2018-09-05 21:55 ` [PATCH 09/22] crypto: rsa-pkcs1pad: Allow hash to be optional David Howells
2018-09-05 21:55 ` [PATCH 10/22] KEYS: asym_tpm: add skeleton for asym_tpm David Howells
2018-09-05 21:55 ` [PATCH 11/22] KEYS: asym_tpm: extract key size & public key David Howells
2018-09-05 21:55 ` [PATCH 12/22] KEYS: Add parser for TPM-based keys David Howells
2018-09-05 21:55 ` [PATCH 13/22] KEYS: asym_tpm: Implement pkey_query David Howells
2018-09-05 21:55 ` [PATCH 14/22] KEYS: asym_tpm: Implement encryption operation David Howells
2018-09-05 21:55 ` [PATCH 15/22] KEYS: trusted: Expose common functionality David Howells
2018-09-05 21:56 ` [PATCH 16/22] KEYS: Move trusted.h to include/keys David Howells
2018-09-05 21:56 ` [PATCH 17/22] KEYS: asym_tpm: Add loadkey2 and flushspecific David Howells
2018-09-05 21:56 ` [PATCH 18/22] KEYS: asym_tpm: Implement tpm_unbind David Howells
2018-09-05 21:56 ` [PATCH 19/22] KEYS: asym_tpm: Implement the decrypt operation David Howells
2018-09-05 21:56 ` [PATCH 20/22] KEYS: asym_tpm: Implement signature verification David Howells
2018-09-05 21:56 ` [PATCH 21/22] KEYS: asym_tpm: Implement tpm_sign David Howells
2018-09-05 21:56 ` [PATCH 22/22] KEYS: asym_tpm: Add support for the sign operation David Howells
2018-09-06 0:07 ` [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops James Morris
2018-09-07 17:31 ` Marcel Holtmann
2018-09-07 17:32 ` James Morris
2018-09-08 15:26 ` David Howells
[not found] ` <1537254055.20009.64.camel@infradead.org>
2018-09-18 11:30 ` James Bottomley
2018-09-18 15:02 ` David Howells
[not found] ` <1537253993.20009.62.camel@infradead.org>
2018-09-18 4:34 ` Denis Kenzior [this message]
2018-09-18 15:50 ` David Howells
2018-09-18 5:24 ` Denis Kenzior
[not found] ` <0d51fca9a29458a40121df0c5380af91e3429c08.camel@infradead.org>
2018-09-18 5:41 ` Denis Kenzior
2018-09-18 16:33 ` David Howells
2018-09-18 5:51 ` Denis Kenzior
2018-09-18 16:55 ` David Howells
2018-09-18 17:00 ` Denis Kenzior
2018-09-18 17:18 ` David Howells
2018-09-20 7:26 ` Marcel Holtmann
[not found] ` <219367882d33fda9705485aa4a40b2ef55f3992f.camel@infradead.org>
2018-09-20 17:07 ` Denis Kenzior
2018-09-28 17:20 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fdee179b-cfdf-7a2b-3193-e114f0084ecb@gmail.com \
--to=denkenz@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).