Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5364991imm; Tue, 18 Sep 2018 08:23:56 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbU3KV9lyzoeuoifvMO+HzQDu83ZeCagslRiDqI8zEfgYNEa2hhvodPZ6366DQpLCw2W6bK X-Received: by 2002:a63:6385:: with SMTP id x127-v6mr28658456pgb.413.1537284236176; Tue, 18 Sep 2018 08:23:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537284236; cv=none; d=google.com; s=arc-20160816; b=rOdNYvwxBgwVS0R9MRU+7/YFZb6gaFwF6yM44kMW1f5DkcJk0cDuv+mb0wcc1X77YW FIJspbjDO0d63U+chv4b5mbr+VzkL6jDbePo8j6MOCsmE5fMsqXYFyDj1OMnzWEpCnnw +s25OQKPmJl8TFX5lHoXPcg7cHMcODnn8KNIgGzYCBK3jWpsKaDKpt2XtU6FgQK83Xu/ OcKfm0tXlX3TApIGsGKc3xiLAZACp38NoZmtjazuTJTzHKcTDQIxm85tguBo0SiiBnuM F84cKpr+gY1RoOMf/OVCFMHkCk7XZEl9gVroy3o5Pz8u9XTpIfLGGJssiaZuABCF9QVq 99Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=keRDOha3jfZc+smDOIg0A4FTSQus8ljZUcNPpsqvxuw=; b=C6kojV5M1+sf7JopEeh09bjBCPtPJVmlmeJoRYIMOvc5vyG5oJX/tbhTJ7Ndjas3dZ OQFYo7D3uP1INLJqw4PDmwM9QDXZU1l8JklUUjgJoc6P0otURIeF24tHqy2o3ckkl+Zl EzdiuOir4GG9u5+2Lx5e6SKQJBSLRX8vrIkQJ+DSJonEMbHY4uzsD5azZDT8Vnwz7xkl z9kRpPLoPeW+aVp0CeLw9+uBM2GsSJb37M9fe+kyINxUAzDnO5KlPTxuI7t7rkOu9npa 9GDZPSTeCw+I2fXnH88bFzJ6klA5caHSYg3QMiHKDTBLF/XAeRjtxEtbFHAis3auYtJp U3+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DfPvrvSD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5-v6si18675729plz.485.2018.09.18.08.23.38; Tue, 18 Sep 2018 08:23:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DfPvrvSD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729999AbeIRUy3 (ORCPT + 99 others); Tue, 18 Sep 2018 16:54:29 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:36694 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727348AbeIRUy2 (ORCPT ); Tue, 18 Sep 2018 16:54:28 -0400 Received: by mail-oi0-f66.google.com with SMTP id r69-v6so2144918oie.3; Tue, 18 Sep 2018 08:21:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=keRDOha3jfZc+smDOIg0A4FTSQus8ljZUcNPpsqvxuw=; b=DfPvrvSDNsam0uaJ2bGjiHLC7tn+XMWxFN+eT7H1ECKKDFkvQoQSG5E0obaz/7QJ4f YYL77AxtJptdpsuuoP4DPsa2R1MXH5AEOZ6S7l9Ga6oRlw1RAeCFcR7+ycjHMviQDAJl gmGSzsfXe8JVlww8y8j/RYQbw6R+HYMcgrLc6kquaaj2e0eScAmSyvytwicixTebKEYL fthQC1lGKwDp+oJSG4KhEXqKIjzTIs96voSNG9fmYaiQ9xAe6T+UcI+7ItWsHrWDvBWp qDT+YQJ7WWdd6p5b7py6UARu18VNF164FKN/ukoYtQlxwm/UrgkWSdJ3oXaUhKOFkhIS QSeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=keRDOha3jfZc+smDOIg0A4FTSQus8ljZUcNPpsqvxuw=; b=kovrqkknptLi2ZsK0f4gbUIXT7/Cyv55zaY63SmRrSykYykixbQc6xRTHFX3r/n1He G5K7GNdmcd/wVbj91jeKHDpjmM+ew+6LAkV9u1hMZSghDAJOeCwua2uXNq8PIcjyV17x mKaoqqzKnPALQR35wyGZq4BSf0vXkM3F8vZv3pbxrfPDUtdwJHVTJ71zglw2cAC/UEti JaXCBtsV4IncZLckYLfu7l91fI25HwjIxYTXBeP7K3NRybr90JiSRyDKeLsPue9V4T7s OUvhDvKNDGi+VyytEsJa/Teo2a0dyp6UTLltH0fftg08/evvcC5pc2rlcRboSbCwTY73 tBQQ== X-Gm-Message-State: APzg51DfzPQhK480ZRxumerd4VRqCgBoqFlA9dMC5u1S8u5q6WJzdKRj BHMuMHiGgapbUXMy8rYo3IJT6ra8 X-Received: by 2002:aca:4914:: with SMTP id w20-v6mr1719309oia.5.1537284084862; Tue, 18 Sep 2018 08:21:24 -0700 (PDT) Received: from [192.168.1.249] (cpe-70-114-247-242.austin.res.rr.com. [70.114.247.242]) by smtp.googlemail.com with ESMTPSA id d5-v6sm6188445oia.57.2018.09.18.08.21.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Sep 2018 08:21:24 -0700 (PDT) Subject: Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops To: David Woodhouse , David Howells , jmorris@namei.org Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <153618445730.7946.10001472635835806478.stgit@warthog.procyon.org.uk> <1537253993.20009.62.camel@infradead.org> From: Denis Kenzior Message-ID: Date: Mon, 17 Sep 2018 23:34:45 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <1537253993.20009.62.camel@infradead.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, On 09/18/2018 01:59 AM, David Woodhouse wrote: > On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote: >> >> Example usage for a PKCS#8 blob: >> >>         j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \ >>             keyctl padd asymmetric foo @s` The kernel expects a raw DER formatted PKCS8 certificate. And as you point out, keyctl doesn't grok PEM files. So, that is why this is being done via openssl. The example above simply shows one how to import a private key in PEM format into the kernel keys framework. >> >> Example usage for a TPM wrapped blob: >> >>         openssl genrsa -out /tmp/privkey.foo.pem 2048 >>         create_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm >>         j=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout | >>             keyctl padd asymmetric foo @s` > > Those examples aren't equivalent. For the PKCS#8 blob you are first > using openssl to convert from an encrypted PKCS#8 PEM to unencrypted > DER, presumably because you haven't added decryption support (or base64 > decode) to keyctl yet. To be pedantic, it converts an optionally encrypted PEM to unencrypted DER. But yes, correct. > > For the TPM example though, you are also showing the *generation* of > the key, and importing it into the TPM. And then I'm confused by the > 'openssl asn1parse' line there... what is that actually doing? If I run > it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get > no output at all. > Same thing applies as above. The kernel has no PEM parser, so the raw DER must be passed in. openssl asn1parse line simply does that. It strips the PEM layer leaving the raw DER. However, now that you mention it, the actual command incantation is wrong. It seems openssl asn1parse acts slightly different from openssl pkcs8 and so it needs to be modified to add an extra -out parameter. So the example incantation should be: openssl genrsa -out /tmp/privkey.2048.pem 2048 create_tpm_key -s 2048 -w /tmp/privkey.2048.pem /tmp/privkey.2048.tpm openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \ -out /tmp/privkey.2048.der j=`cat /tmp/privkey.2048.der | keyctl padd asymmetric tpm @u` echo "TPM key serial is: $j" Sorry, I should have caught this earlier. Regards, -Denis