[PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
Denis Kenzior
denkenz at gmail.com
Tue Sep 18 05:41:59 UTC 2018
Hi David,
On 09/18/2018 11:17 AM, David Woodhouse wrote:
> On Tue, 2018-09-18 at 00:24 -0500, Denis Kenzior wrote:
>> Hi David,
>>
>> On 09/18/2018 10:50 AM, David Howells wrote:
>>> Denis Kenzior <denkenz at gmail.com> wrote:
>>>
>>>> openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
>>>> -out /tmp/privkey.2048.der
>>>
>>> You can use "... -out - | ..." instead.
>>
>> Aha! okay, that is even more elegant. Your openssl-fu is better than
>> mine :)
>
> 'grep -v ^----- | base64 -d' also works most of the time :)
>
> You are passing the raw DER to the kernel in both cases, right? And the
> kernel just happens to know that if it receives a bare OCTET-STRING
> it's supposed to treat it as a TPMv1.2 key?
>
Short answer: right.
Long answer: The kernel runs all the registered parsers until all fail
or one of them recognizes the format. All the currently supported
asymmetric key formats are DER based, e.g. PKCS8, PKCS7, TPM-1.2, etc.
All these have a very specific DER structure with the TPM-1.2 being the
simplest format.
Regards,
-Denis
More information about the Linux-security-module-archive
mailing list