-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support description field #120
Comments
This project does not support the structure mentioned in the referenced document. Before implementing something I prefer to wait until the draft gets adopted by some IETF WG. |
ok, thats very fair; (i thought it was actually adopted); closing this till its official |
@gotthardp Okay, which spec does this tool implement? |
reopening :) (shoud've asekd that too!) i suspect its derived back which references this https://marc.info/?l=openssl-dev&m=148305587514229&w=2 so, i don't know if whats now actual standard or inuse locally only |
Okay, the discussion makes it clear to me that I suspect it would be nice to standardize this format though. @jejb how should we proceed to standardize this under IETF? |
On Thu, 2024-10-10 at 04:18 -0700, Morten Linderud wrote:
Okay, the discussion makes it clear to me that `tpm2-openssl` is
actually just implementing an older iteration of the spec as proposed
by James in 2016.
Actually, I think this bug report indicates not properly implementing
even that. The design of the spec and its enhancements was to keep
everything interoperable. Part of that interoperability is simply
ignoring any optional const you don't understand, which would mean the
description should simply have been unused. Obviously this doesn't
work for things like importable keys, where you have to understand the
optional const 2 for secret, but even if you ignore it, the error
occurs lower down in TPM2_Load.
I suspect it would be nice to standardize this format though. @jejb
how should we proceed to standardize this under IETF?
The only thing still missing, that was asked for by Matthew Garrett, is
creation data. It looks simple to do and I asked him to propose an
addition. However, it's also possible to proceed without it.
Regards,
James
|
That sounds like a great addition so it's probably a good idea to wait for it. Thanks! |
fwiw, openssl also also fails outright if the key has policysyntax but as above, worth awaiting it its official for ref, i'm not sure if i did it quite right but i tried to reconstruct a basic (pcr, policyauthvalue) policy command sequence in go here and generically here. I'll file a FR for go-tpm to help convert |
Is there any ETA for this? I don't need support for the field, just to be able to use keys which happen to contain it. |
if the specs alteast here mentions a "description" field which can get encoded into PEM tpm keys:
However, it looks like that if the key contains that field, the provider fails outright.
this bug is to support reading in keys with that field:
if you try to read in the key, you'll see
$ openssl rsa -provider tpm2 -provider default -in private.pem --text Could not read private key from private.pem 40C7EFD7647D0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
if you want to generate a new key, i wroteup a small analog for
tpm2tss-genkey
here in goThe text was updated successfully, but these errors were encountered: