| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Sep 2018 07:59:53 +0100
From: David Woodhouse <dwmw2@...radead.org>
To: David Howells <dhowells@...hat.com>, jmorris@...ei.org
Cc: denkenz@...il.com, keyrings@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
>
> Example usage for a PKCS#8 blob:
>
> j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
> keyctl padd asymmetric foo @s`
>
> Example usage for a TPM wrapped blob:
>
> openssl genrsa -out /tmp/privkey.foo.pem 2048
> create_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm
> j=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout |
> keyctl padd asymmetric foo @s`
Those examples aren't equivalent. For the PKCS#8 blob you are first
using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
DER, presumably because you haven't added decryption support (or base64
decode) to keyctl yet.
For the TPM example though, you are also showing the *generation* of
the key, and importing it into the TPM. And then I'm confused by the
'openssl asn1parse' line there... what is that actually doing? If I run
it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
no output at all.
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)
Powered by blists - more mailing lists