GnuTLS (tpmtools) api for signing data in a TPM
Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).
At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.
Thank all!
security cryptography tpm gnutls
asked Nov 23 '18 at 16:28
ArraizArraiz
175
add a comment |
Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).
At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.
Thank all!
security cryptography tpm gnutls
asked Nov 23 '18 at 16:28
ArraizArraiz
175
1
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58
add a comment |
Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).
At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.
Thank all!
security cryptography tpm gnutls
asked Nov 23 '18 at 16:28
ArraizArraiz
175
Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).
At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.
Thank all!
security cryptography tpm gnutls
security cryptography tpm gnutls
asked Nov 23 '18 at 16:28
ArraizArraiz
175
asked Nov 23 '18 at 16:28
ArraizArraiz
175
asked Nov 23 '18 at 16:28
ArraizArraiz
175
asked Nov 23 '18 at 16:28
ArraizArraiz
175
asked Nov 23 '18 at 16:28
ArraizArraiz
175
175
1
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58
add a comment |
1
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58
1
1
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58
add a comment |
1 Answer
1
active
oldest
votes
The sequence of events is something like this:
- Invoke
gnutls_tpm_key_list_get_urlto get the list of the TPM keys. - Choose the key you want to sign with from the list and import it with
gnutls_privkey_import_tpm_url. - Now you have the
gnutls_privkey_tobject you can use with the abstract API just like any other key. In your case, you probably want to usegnutls_privkey_sign_dataor one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored ingnutls_privkey_t-- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored ingnutls_privkey_tis the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).
– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450131%2fgnutls-tpmtools-api-for-signing-data-in-a-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The sequence of events is something like this:
- Invoke
gnutls_tpm_key_list_get_urlto get the list of the TPM keys. - Choose the key you want to sign with from the list and import it with
gnutls_privkey_import_tpm_url. - Now you have the
gnutls_privkey_tobject you can use with the abstract API just like any other key. In your case, you probably want to usegnutls_privkey_sign_dataor one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored ingnutls_privkey_t-- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored ingnutls_privkey_tis the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).
– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
add a comment |
The sequence of events is something like this:
- Invoke
gnutls_tpm_key_list_get_urlto get the list of the TPM keys. - Choose the key you want to sign with from the list and import it with
gnutls_privkey_import_tpm_url. - Now you have the
gnutls_privkey_tobject you can use with the abstract API just like any other key. In your case, you probably want to usegnutls_privkey_sign_dataor one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored ingnutls_privkey_t-- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored ingnutls_privkey_tis the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).
– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
add a comment |
The sequence of events is something like this:
- Invoke
gnutls_tpm_key_list_get_urlto get the list of the TPM keys. - Choose the key you want to sign with from the list and import it with
gnutls_privkey_import_tpm_url. - Now you have the
gnutls_privkey_tobject you can use with the abstract API just like any other key. In your case, you probably want to usegnutls_privkey_sign_dataor one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
The sequence of events is something like this:
- Invoke
gnutls_tpm_key_list_get_urlto get the list of the TPM keys. - Choose the key you want to sign with from the list and import it with
gnutls_privkey_import_tpm_url. - Now you have the
gnutls_privkey_tobject you can use with the abstract API just like any other key. In your case, you probably want to usegnutls_privkey_sign_dataor one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
answered Nov 23 '18 at 17:59
mnisticmnistic
7,1711923
7,1711923
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored ingnutls_privkey_t-- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored ingnutls_privkey_tis the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).
– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
add a comment |
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored ingnutls_privkey_t-- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored ingnutls_privkey_tis the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).
– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
thanks you very much for answering, but that sequence needs to store the key somewhere in the memory (under gnutls_privkey_t ) and that something I need to avoid, what I was looking for is something like 1º get the data i want to sign/encrypt.... 2º tell the GnuTLS to sign that data with this key referenced by some "uuiid" calling something like gnutls_tpm_crypto_stuff(uuid_of_the_key,&data_i_want_to_sign) thanks for telling about chaps and opencryptoki15 going to check it
– Arraiz
Nov 24 '18 at 10:41
2
2
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored in
gnutls_privkey_t -- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored in gnutls_privkey_t is the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).– mnistic
Nov 24 '18 at 15:52
@Arraiz I'm not sure what the problem is, but if your'e concerned that sensitive information about the key is somehow stored in
gnutls_privkey_t -- there's no reason to be. The private key will never leave the TPM, because it can't. The only thing that's stored in gnutls_privkey_t is the TSS context, that allows the TSS to communicate with the TPM and identify the key (including the UUID).– mnistic
Nov 24 '18 at 15:52
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
thanks a lot for the help!! saved my life
– Arraiz
Nov 27 '18 at 12:48
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450131%2fgnutls-tpmtools-api-for-signing-data-in-a-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You can't get private keys out of the TPM.
– James K Polk
Nov 24 '18 at 20:58