On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote: > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote: > > > Here's a quick hack to make it work by abusing the OpenSC engine > > > config, as a proof of concept. Making it work cleanly so that it > > > can be merged is left as an exercise for the reader, or perhaps an > > > interested party in one of the mailing lists I've added to Cc. > > Well, you can't have the engine name hard coded ... that really needs > to be some type of parameter, which is going to be 99% of the hassle > making a proper patch ... And of course, it shouldn't have to be specified at all. If given a PEM file which happens to look like a TPM2 engine key, then the appropriate engine should be invoked automatically. > Just on this particular part: I recently got annoyed with the inability > to use TPM keys on firefox. I did look at the tpm pkcs11 projects but > they all looked deficient to say the least, so I put together this > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl-pkcs11-export.git > > It's a generic engine key to pkcs11 exporter (will work for any openssl > engine) driven by a simple ini like config file. The big advantage it > has is that now I can use openssl engines with gnutls. Nice. I like the fact that it interoperates with the key storage format we agreed upon for the ENGINEs. Although if you just wanted to use those keys with GnuTLS, you could have done that directly. I already ported it all except the new "importable" keys support. http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls_tpm2_ibm.c > Going the pkcs11 route is definitely the heath robinson approach, so > the direct engine route is definitely much better. :)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap