tpm2-pkcs11 icon indicating copy to clipboard operation
tpm2-pkcs11 copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

add ECDH support

Open Dvergatal opened this issue 3 years ago • 8 comments

Hi @williamcroberts again, i understand that you have closed #656, but you haven't answered me for my question about adding support for ECDH.

Dvergatal avatar Feb 23 '21 17:02 Dvergatal

We can add it, once we know how to do it in the tpm2-tools project. It's a buit of an ongoing open issue. @idesai has made some progress on it, I think he has something working as far as TPM output, but we want to make sure it works end-to-end with an OSSL peer.

williamcroberts avatar Feb 24 '21 13:02 williamcroberts

Ok thx. I haven't noticed that comment yesterday:P

Dvergatal avatar Feb 25 '21 12:02 Dvergatal

FYI it was implemented in the openssl engine project as:

  • https://github.com/tpm2-software/tpm2-tss-engine/pull/207

I'm still not sure what it looks like using tpm2-pkcs11 API to generate an ECDH key and using it, as far as flow yet. But Ill start looking into it.

williamcroberts avatar May 24 '21 21:05 williamcroberts

Hmmmm there is only EC key. ECDH is an algorithm used i.e. in TLS protocol for secure exchanging between sides with shared secret. The process for key generation of EC key should look the same as for ECDSA, unless you are talking about shared secret generation, but this shared secret generation should be done during the TLS protocol by the protocol itself.

Dvergatal avatar May 25 '21 13:05 Dvergatal

Hmmmm there is only EC key. ECDH is an algorithm used i.e. in TLS protocol for secure exchanging between sides with shared secret. The process for key generation of EC key should look the same as for ECDSA, unless you are talking about shared secret generation, but this shared secret generation should be done during the TLS protocol by the protocol itself.

Think more along the lines of how clients are using it and passing templates during the C_DeriveKey call to generate the shared secret. The spec covers the templates, but I have found that spec != apps. However, pkcs11-tool has --derive, which is perfect. Start with an existing implementation. At a glance, p11tool seems to be absent. The pkcs11 engine seems to have support, which means we can use the tests with OpenSSL like tpm2-tss-engine does, just swap out the engine and load this pkcs11 library.

williamcroberts avatar May 25 '21 13:05 williamcroberts

Yeah pkcs11-tool has already support for it, that is why i rather use it than p11tool. And yes you can use openssl command line for tls connection to check if it will use the token properly.

Dvergatal avatar May 25 '21 13:05 Dvergatal

I took a stab to proof of concept. I am sure there are issues but still.. https://github.com/ldts/tpm2-pkcs11/commit/f8c2dc07e2273219e92bdc0fda221038bd281b38

ldts avatar Feb 09 '23 11:02 ldts

@ldts thx I can test it later for now I'm little busy but I will certainly do that :smile:

Dvergatal avatar Feb 10 '23 08:02 Dvergatal