search

tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
262 stars 105 forks source link

add ECDH support #661

Open Dvergatal opened 3 years ago

Dvergatal commented 3 years ago

Hi @williamcroberts again, i understand that you have closed #656, but you haven't answered me for my question about adding support for ECDH.

williamcroberts commented 3 years ago

We can add it, once we know how to do it in the tpm2-tools project. It's a buit of an ongoing open issue. @idesai has made some progress on it, I think he has something working as far as TPM output, but we want to make sure it works end-to-end with an OSSL peer.

Dvergatal commented 3 years ago

Ok thx. I haven't noticed that comment yesterday:P

williamcroberts commented 3 years ago

FYI it was implemented in the openssl engine project as:

I'm still not sure what it looks like using tpm2-pkcs11 API to generate an ECDH key and using it, as far as flow yet. But Ill start looking into it.

Dvergatal commented 3 years ago

Hmmmm there is only EC key. ECDH is an algorithm used i.e. in TLS protocol for secure exchanging between sides with shared secret. The process for key generation of EC key should look the same as for ECDSA, unless you are talking about shared secret generation, but this shared secret generation should be done during the TLS protocol by the protocol itself.

williamcroberts commented 3 years ago

Hmmmm there is only EC key. ECDH is an algorithm used i.e. in TLS protocol for secure exchanging between sides with shared secret. The process for key generation of EC key should look the same as for ECDSA, unless you are talking about shared secret generation, but this shared secret generation should be done during the TLS protocol by the protocol itself.

Think more along the lines of how clients are using it and passing templates during the C_DeriveKey call to generate the shared secret. The spec covers the templates, but I have found that spec != apps. However, pkcs11-tool has --derive, which is perfect. Start with an existing implementation. At a glance, p11tool seems to be absent. The pkcs11 engine seems to have support, which means we can use the tests with OpenSSL like tpm2-tss-engine does, just swap out the engine and load this pkcs11 library.

Dvergatal commented 3 years ago

Yeah pkcs11-tool has already support for it, that is why i rather use it than p11tool. And yes you can use openssl command line for tls connection to check if it will use the token properly.

ldts commented 1 year ago

I took a stab to proof of concept. I am sure there are issues but still.. https://github.com/ldts/tpm2-pkcs11/commit/f8c2dc07e2273219e92bdc0fda221038bd281b38

Dvergatal commented 1 year ago

@ldts thx I can test it later for now I'm little busy but I will certainly do that :smile: