On Sat, Mar 2, 2013 at 10:36 PM, Jonathan Buhacoff <[email protected]> wrote: > Hi, > > I have a school project to make use of a TPM to store the server's RSA > private key for use with openssl. Specifically, that private key would be > sealed to certain PCR values that are also encoded in the X509 certificate so > that, when clients make a TLS connection to the server, clients trusting that > particular X509 certificate know that a connection can only be established if > the server's state corresponds to the what is on the certificate. > > When a server needs to decrypt the client challenge in order to prepare the > server-verify message, instead of loading its private key from disk and > performing an RSA decryption, in this project the server would use the > trousers library to pass the material to be decrypted to the TPM and get the > results. Everything before and after this step should stay the same. > > I think the relevant code is in ssl3_get_client_key_exchange, because it > calls RSA_private_decrypt. > > My question is - should I be writing a patch for the default engine to allow > this option to keep the private key in the TPM? or should I be writing a new > engine that is essentially a copy of the default engine except for this one > change? What makes more sense if I'm going to contribute the code after my > project is done?
We have a TPM engine available on the trousers site: https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.2/ We may not have a utility that lets you generate a key with PCRs though. You can find lots of sample code in the testsuite, available in git: git://trousers.git.sourceforge.net/gitroot/trousers/testsuite Kent > A related consideration is that the configuration would need to accommodate > this option, either by allowing another format for the private key file > option or by creating a new custom option. > > All opinions welcome... > > Thanks, > > Jonathan > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
