Re: [openssl-users] OpenSSL engine and TPM usage.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] OpenSSL engine and TPM usage.

Richard Levitte - VMS Whacker-2
In message <CALq8RvLJVQtPhxtQuJzK5oWpb9w79u02FeW1ZoN636va6=[hidden email]> on Wed, 25 Oct 2017 22:36:45 +0530, Jayalakshmi bhat <[hidden email]> said:

bhat.jayalakshmi> Our device uses TPM to protect certificate private
bhat.jayalakshmi> keys. We have written engine interface to integrate
bhat.jayalakshmi> TPM functionality into OpenSSL. Thus TPM gets loaded
bhat.jayalakshmi> as an engine instance. Also we have mapped RSA
bhat.jayalakshmi> operations to TPM APIS as like encryption/decryption
bhat.jayalakshmi> etc.
bhat.jayalakshmi>
bhat.jayalakshmi> Now we are into few issues. there are few
bhat.jayalakshmi> applications that wants to use application specific
bhat.jayalakshmi> identity certificate. In such cases RSA APIs should
bhat.jayalakshmi> not get mapped to TPM APIs.
bhat.jayalakshmi>
bhat.jayalakshmi> I wanted to know when we use engine instance for
bhat.jayalakshmi> encyrption/decryption operation, can it be done
bhat.jayalakshmi> selectively?

Yes, it should be possible.  However, this is up to the application,
not to your engine.  The engine simply offers methods, the application
chooses to use some or all of them as default algo implementations
through the diverse ENGINE_set_default* functions.

For keys such as RSA ones, you can simply create the resulting fetched
key with RSA_new_method(e), where |e| is your TPM engine, and your
engine's RSA method will be attached to that key rather than the
default.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] OpenSSL engine and TPM usage.

James Bottomley
On Thu, 2017-10-26 at 13:57 +0200, Richard Levitte wrote:

> In message <CALq8RvLJVQtPhxtQuJzK5oWpb9w79u02FeW1ZoN636va6=F7NA@mail.
> gmail.com> on Wed, 25 Oct 2017 22:36:45 +0530, Jayalakshmi bhat <bhat
> .[hidden email]> said:
>
> bhat.jayalakshmi> Our device uses TPM to protect certificate private
> bhat.jayalakshmi> keys. We have written engine interface to integrate
> bhat.jayalakshmi> TPM functionality into OpenSSL. Thus TPM gets
> loaded
> bhat.jayalakshmi> as an engine instance. Also we have mapped RSA
> bhat.jayalakshmi> operations to TPM APIS as like
> encryption/decryption
> bhat.jayalakshmi> etc.
> bhat.jayalakshmi> 
> bhat.jayalakshmi> Now we are into few issues. there are few
> bhat.jayalakshmi> applications that wants to use application specific
> bhat.jayalakshmi> identity certificate. In such cases RSA APIs should
> bhat.jayalakshmi> not get mapped to TPM APIs.
> bhat.jayalakshmi> 
> bhat.jayalakshmi> I wanted to know when we use engine instance for
> bhat.jayalakshmi> encyrption/decryption operation, can it be done
> bhat.jayalakshmi> selectively?
>
> Yes, it should be possible.  However, this is up to the application,
> not to your engine.  The engine simply offers methods, the
> application
> chooses to use some or all of them as default algo implementations
> through the diverse ENGINE_set_default* functions.
>
> For keys such as RSA ones, you can simply create the resulting
> fetched
> key with RSA_new_method(e), where |e| is your TPM engine, and your
> engine's RSA method will be attached to that key rather than the
> default.

Unless you have a Firmware TPM, you really don't want to override the
default methods, all you want to do is load and engine based key and
override only specific key methods which are useful.  The reason is the
TPM is really slow, so you want the native system to do all the crypto
operations it can rather than routing them through the TPM.  So, for
instance, if you look at the elliptic curve overrides for the tpm2
engine,

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/

all it does is change the EC_KEY methods for sign and nothing else (so
verify still uses non-TPM methods).

James

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] OpenSSL engine and TPM usage.

Freemon Johnson
In reply to this post by Richard Levitte - VMS Whacker-2
Hi Jayalakshmi,

Is your implementation OSS or intellectual property? If it is OSS can you please provide the URL?

Regards,
Freemon

On Wed, Oct 25, 2017 at 1:06 PM, Jayalakshmi bhat <[hidden email]> wrote:
Hi All,

Our device uses TPM to protect certificate private keys. We have written engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets loaded as an engine instance.
Also we have mapped RSA operations to TPM APIS as  like encryption/decryption etc.

Now we are into few issues. there are few applications that wants to use application specific identity certificate. In such cases RSA APIs should not get mapped to TPM APIs.

I wanted to know when we use engine instance for encyrption/decryption operation, can it be done selectively?

Regards
Jayalakshmi

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev