Peter Djalaliev wrote: > ftp://ftp.compaq.com/pub/products/security/embedded_security_-_implementation.pdf > > ...and as the ProtectTools implementation white-paper explains, their > Embeded Security Manager uses the TPM to create wrapping keys, which > are then used to encrypt the private keys of the user. The wrapped > keys are then stored on the hard disk. > > So, Dave's key (the one generated by his CA) was probably never in the > TPM, but it was wrapped by a key stored in the TPM. I wonder, could > this be why the key could not be found in the PKCS#11 module? The HP > implementation whitepaper makes it clear that: > > "The TPM can also protect keys generated outside > ProtectTools Embedded Security. In this case, keys > can be presented to the TPM through either the > CryptoAPI or PKCS#11 interface." > > I would guess that these keys can also be accessed through the PKCS#11 > interface, but...
I would expect that these details all go on beneath the PKCS#11 API layer, and are all hidden inside of the PKCS#11 module. I suspect that the wrapped keys (wherever they physically reside) still appear as PKCS#11 objects in the PKCS#11 "slot" or "token", and would be findable through the PKCS#11 C_FindObjects function. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto