Re: how to use gnutls_privkey_import_ext

[Carolin Latze]

Hi Nikos,

On 06/10/2012 02:47 AM, Nikos Mavrogiannopoulos wrote:
> On 06/09/2012 12:36 PM, Carolin Latze wrote:
>
>    
> > Hi all
> >
> > I tried to port some of my really old code to a new version of GnuTLS. I
> > used a signing callback in order to let the TPM sign data. However since
> > gnutls_sign_callback_set is deprecated now I tried to move to
> > gnutls_privkey_import_ext. Here is what I did:
> >
> > I defined an empty privkey structure (since the privkey is stored within
> > the TPM):
> > const gnutls_datum_t key = { NULL, 0 };
> >
> > I took my old sign callback and assigned it to that structure:
> > gnutls_privkey_import_ext(&key,NULL,NULL,gnutls_tpm_sign,NULL,0);
> >      
>
> Hello,
>   Did you check the error code from this function? It should have failed
> because it requires a sign function and a decryption function. You also
> do not set the public key algorithm to be used and put a NULL there.
>    
I also tried with GNUTLS_PK_RSA, but that did not help. And yeah I also 
switched on logging with a level of 15, but did not really see what the 
problem could. Well I thought it would be the pk algorithm, but as I 
said, that did not solve the problem.
> If you do not want to use decryption, then put a dummy function that
> always returns an error code and then make sure you use ciphersuites
> that require signing (DHE-RSA/ECDHE-RSA).
>    
Ok, I will try that.
>    
> > PKCS#11 is not really an option since that comes with some limitations
> > on the TPM...
> >      
>
> I see that trousers comes with a PKCS #11 module (or they claim to).
> I've never tried it, but doesn't it work?
>    
It does. But the TPM has never been designed to meet the PKCS#11 spec, 
so it requires for instance to set some keys to NULL. I could do that 
but I need to clear and reset my TPM to do that and I was hoping that I 
could prevent that. Maybe that is the next thing I try if I don't manage 
to get the other function to work.

Regards
Carolin