On Thu, 2019-03-14 at 09:57 -0700, David Woodhouse wrote: > On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote: > > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > > > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote: > > > > Here's a quick hack to make it work by abusing the OpenSC > > > > engine config, as a proof of concept. Making it work cleanly so > > > > that it can be merged is left as an exercise for the reader, or > > > > perhaps an interested party in one of the mailing lists I've > > > > added to Cc. > > > > Well, you can't have the engine name hard coded ... that really > > needs to be some type of parameter, which is going to be 99% of the > > hassle making a proper patch ... > > And of course, it shouldn't have to be specified at all. If given a > PEM file which happens to look like a TPM2 engine key, then the > appropriate engine should be invoked automatically. Hey don't beat me on the sore spot ... > > Just on this particular part: I recently got annoyed with the > > inability to use TPM keys on firefox. I did look at the tpm pkcs11 > > projects but they all looked deficient to say the least, so I put > > together this > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl-pkcs11 > > -export.git > > > > It's a generic engine key to pkcs11 exporter (will work for any > > openssl engine) driven by a simple ini like config file. The big > > advantage it has is that now I can use openssl engines with gnutls. > > Nice. I like the fact that it interoperates with the key storage > format we agreed upon for the ENGINEs. Actually, it doesn't ... that's the nice thing about the project: it's entirely key format agnostic. It just takes the engine name and the key file and hands it to the engine to get it to work. This means it can work with *any* engine format whatsoever, including a completely non-compliant TPM one should someone come up with one. > Although if you just wanted to use those keys with GnuTLS, you could > have done that directly. I already ported it all except the new > "importable" keys support. > > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutl > s_tpm2_ibm.c Well, you know, using engines with gnutls does mean we don't have to write the same code twice over ... James > > Going the pkcs11 route is definitely the heath robinson approach, > > so the direct engine route is definitely much better. > > :) _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
