On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote: > > Example usage for a PKCS#8 blob: > > j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \ > keyctl padd asymmetric foo @s` > > Example usage for a TPM wrapped blob: > > openssl genrsa -out /tmp/privkey.foo.pem 2048 > create_tpm_key -s 2048 -w /tmp/privkey.foo.pem /tmp/privkey.foo.tpm > j=`openssl asn1parse -inform pem -in /tmp/privkey.foo.tpm -noout | > keyctl padd asymmetric foo @s`
Those examples aren't equivalent. For the PKCS#8 blob you are first using openssl to convert from an encrypted PKCS#8 PEM to unencrypted DER, presumably because you haven't added decryption support (or base64 decode) to keyctl yet. For the TPM example though, you are also showing the *generation* of the key, and importing it into the TPM. And then I'm confused by the 'openssl asn1parse' line there... what is that actually doing? If I run it on a '-----BEGIN TSS KEY BLOB-----' file I have lying around, I get no output at all.
smime.p7s
Description: S/MIME cryptographic signature
