lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fdee179b-cfdf-7a2b-3193-e114f0084ecb@gmail.com>
Date:   Mon, 17 Sep 2018 23:34:45 -0500
From:   Denis Kenzior <denkenz@...il.com>
To:     David Woodhouse <dwmw2@...radead.org>,
        David Howells <dhowells@...hat.com>, jmorris@...ei.org
Cc:     keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops

Hi David,

On 09/18/2018 01:59 AM, David Woodhouse wrote:
> On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
>>
>> Example usage for a PKCS#8 blob:
>>
>>          j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
>>              keyctl padd asymmetric foo @s`

The kernel expects a raw DER formatted PKCS8 certificate.  And as you 
point out, keyctl doesn't grok PEM files.  So, that is why this is being 
done via openssl.  The example above simply shows one how to import a 
private key in PEM format into the kernel keys framework.

>>
>> Example usage for a TPM wrapped blob:
>>
>>          openssl genrsa -out /tmp/privkey.foo.pem 2048
>>          create_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm
>>          j=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout |
>>              keyctl padd asymmetric foo @s`
> 
> Those examples aren't equivalent. For the PKCS#8 blob you are first
> using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
> DER, presumably because you haven't added decryption support (or base64
> decode) to keyctl yet.

To be pedantic, it converts an optionally encrypted PEM to unencrypted 
DER.  But yes, correct.

> 
> For the TPM example though, you are also showing the *generation* of
> the key, and importing it into the TPM. And then I'm confused by the
> 'openssl asn1parse' line there... what is that actually doing? If I run
> it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
> no output at all.
> 

Same thing applies as above.  The kernel has no PEM parser, so the raw 
DER must be passed in.  openssl asn1parse line simply does that.  It 
strips the PEM layer leaving the raw DER.

However, now that you mention it, the actual command incantation is 
wrong.  It seems openssl asn1parse acts slightly different from openssl 
pkcs8 and so it needs to be modified to add an extra -out parameter.  So 
the example incantation should be:

   openssl genrsa -out /tmp/privkey.2048.pem 2048
   create_tpm_key -s 2048 -w /tmp/privkey.2048.pem /tmp/privkey.2048.tpm
   openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
			-out /tmp/privkey.2048.der
   j=`cat /tmp/privkey.2048.der | keyctl padd asymmetric tpm @u`
   echo "TPM key serial is: $j"

Sorry, I should have caught this earlier.

Regards,
-Denis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ