On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote: > Hi, > > On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote: > > > > Engine keys are an openssl concept for a key file which can only be > > understood by an engine (usually because it's been wrapped by the > > engine itself). We use this for TPM engine keys, so you can either > > generate them within your TPM or wrap them from existing private > > keys. Once wrapped, the keys will only function in the TPM that > > generated them, so it means the VPN keys are tied to the physical > > platform, which is very useful. Engine keys have to be loaded via > > a specific callback, so use this as a fallback in openvpn if an > > engine is specified and if the PEM read of the private key fails. > > How does this work in an OpenVPN context, as in, what do I have to do > to make TPM keys work on client and server?
If you have an existing private key, you convert it to a TPM key using the create_tpm[2]_key binary that comes with openssl_tpm[2]_engine. The key you create is then locked to the TPM of the system you create it on (so save an offline copy of the non-TPM private key). > Do we need a new abstraction layer here somewhere, given that this > seems to do something similar to using the windows crypto layer to > access "private keys hidden in windows" (--cryptoapicert) and/or > pkcs11? I don't really think so. The engine keys are a bit of an openssl brainfart: there's no reason why PEM_read_bio_PrivateKey couldn't actually check for engine keys and have the whole thing transparent to all applications, except that openssl didn't want to do it that way. These keys are real files, so they're not like tokens, which is the pkcs11 abstraction. > I see more #ifdef in the code and this is usually a sign of "it will > increase testing requirement, and we can't even test the abstraction > if none of us has the hardware". > > But I leave the more specific discussion to Steffan and Antonio :-) Testing is possible. If you look at the build repository of openssl_tpm2_engine: https://build.opensuse.org/project/show/home:jejb1:TPM You'll see there are tests in there that fire up a software tpm to run. However, the software TPM is a bit capricious and certainly only runs on openssl 1.0.2, so I can't run the tests on Fedora 26 for instance without rewriting the swtpm2 package. James
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
