Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops

From: Denis Kenzior
Date: Tue Sep 18 2018 - 11:21:29 EST

Next message: Casey Schaufler: "Re: [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock"
Previous message: Daniel Vetter: "Re: [PATCH] gpu: do not double put device node in zx_drm_probe"
In reply to: David Woodhouse: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Next in thread: David Howells: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

On 09/18/2018 01:59 AM, David Woodhouse wrote:

On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:

Example usage for a PKCS#8 blob:

ÂÂÂÂÂÂÂÂj=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`

The kernel expects a raw DER formatted PKCS8 certificate. And as you point out, keyctl doesn't grok PEM files. So, that is why this is being done via openssl. The example above simply shows one how to import a private key in PEM format into the kernel keys framework.

Example usage for a TPM wrapped blob:

ÂÂÂÂÂÂÂÂopenssl genrsa -out /tmp/privkey.foo.pem 2048
ÂÂÂÂÂÂÂÂcreate_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm
ÂÂÂÂÂÂÂÂj=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout |
ÂÂÂÂÂÂÂÂÂÂÂ keyctl padd asymmetric foo @s`

Those examples aren't equivalent. For the PKCS#8 blob you are first
using openssl to convert from an encrypted PKCS#8 PEM to unencrypted
DER, presumably because you haven't added decryption support (or base64
decode) to keyctl yet.

To be pedantic, it converts an optionally encrypted PEM to unencrypted DER. But yes, correct.

For the TPM example though, you are also showing the *generation* of
the key, and importing it into the TPM. And then I'm confused by the
'openssl asn1parse' line there... what is that actually doing? If I run
it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get
no output at all.

Same thing applies as above. The kernel has no PEM parser, so the raw DER must be passed in. openssl asn1parse line simply does that. It strips the PEM layer leaving the raw DER.

However, now that you mention it, the actual command incantation is wrong. It seems openssl asn1parse acts slightly different from openssl pkcs8 and so it needs to be modified to add an extra -out parameter. So the example incantation should be:

openssl genrsa -out /tmp/privkey.2048.pem 2048
create_tpm_key -s 2048 -w /tmp/privkey.2048.pem /tmp/privkey.2048.tpm
openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
-out /tmp/privkey.2048.der
j=`cat /tmp/privkey.2048.der | keyctl padd asymmetric tpm @u`
echo "TPM key serial is: $j"

Sorry, I should have caught this earlier.

Regards,
-Denis

Next message: Casey Schaufler: "Re: [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and Landlock"
Previous message: Daniel Vetter: "Re: [PATCH] gpu: do not double put device node in zx_drm_probe"
In reply to: David Woodhouse: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Next in thread: David Howells: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]