Re: how to use gnutls_privkey_import_ext

[Nikos Mavrogiannopoulos]

On 06/09/2012 12:36 PM, Carolin Latze wrote:

> Hi all
> 
> I tried to port some of my really old code to a new version of GnuTLS. I
> used a signing callback in order to let the TPM sign data. However since
> gnutls_sign_callback_set is deprecated now I tried to move to
> gnutls_privkey_import_ext. Here is what I did:
> 
> I defined an empty privkey structure (since the privkey is stored within
> the TPM):
> const gnutls_datum_t key = { NULL, 0 };
> 
> I took my old sign callback and assigned it to that structure:
> gnutls_privkey_import_ext(&key,NULL,NULL,gnutls_tpm_sign,NULL,0);


Hello,
 Did you check the error code from this function? It should have failed
because it requires a sign function and a decryption function. You also
do not set the public key algorithm to be used and put a NULL there.

If you do not want to use decryption, then put a dummy function that
always returns an error code and then make sure you use ciphersuites
that require signing (DHE-RSA/ECDHE-RSA).


> PKCS#11 is not really an option since that comes with some limitations
> on the TPM...


I see that trousers comes with a PKCS #11 module (or they claim to).
I've never tried it, but doesn't it work?

regards,
Nikos