Re: how to use gnutls_privkey_import_ext

[Carolin Latze]

Ok, this is what I did now: I defined a sign_func and a decrypt_func 
based on the type found in abstract.h:

int gnutls_tpm_sign_func (gnutls_privkey_t key,
                          void *userdata,
                          const gnutls_datum_t * raw_data,
                          gnutls_datum_t * signature);
int gnutls_tpm_decrypt_func (gnutls_privkey_t key,
                             void *userdata,
                             const gnutls_datum_t * ciphertext,
                             gnutls_datum_t * plaintext);

The decrypt func will just return -1, whereas the sign func will call 
the TPM. Furthermore I create a NULL privkey:

gnutls_privkey_t key;
gnutls_privkey_init(&key);

and assigned a NULL privkey to the credentials of this session: (even if 
I assign the &key here, it does not help)

gnutls_certificate_set_x509_key_mem(xcred, &ccert, NULL, 
GNUTLS_X509_FMT_PEM);

Later, after gnutls_init, I tried to import the key callbacks:

gnutls_privkey_import_ext(key,GNUTLS_PK_RSA,NULL,gnutls_tpm_sign_func,gnutls_tpm_decrypt_func,0);

Now I see that gnutls_privkey_import_ext is executed without problems 
(no errors, no segfault, valgrind just silent), but none of the 
callbacks will be called.  I guess I miss something during the 
initialization. Do you have an idea what I miss here?

Regards
Carolin

On 06/10/2012 11:58 AM, Carolin Latze wrote:
> On 06/10/2012 11:55 AM, Nikos Mavrogiannopoulos wrote:
> > On 06/10/2012 11:37 AM, Carolin Latze wrote:
> >
> >
> > > > Hello,
> > > >    Did you check the error code from this function? It should have 
> > > > failed
> > > > because it requires a sign function and a decryption function. You 
> > > > also
> > > > do not set the public key algorithm to be used and put a NULL there.
> >
> > > I also tried with GNUTLS_PK_RSA, but that did not help. And yeah I also
> > > switched on logging with a level of 15, but did not really see what the
> > > problem could. Well I thought it would be the pk algorithm, but as I
> > > said, that did not solve the problem.
> >
> > Note that I didn't refer to logging but to checking the error code
> > returned by the function. If such a function fails the results are
> > inpredictable (like the crash you see). If possible send me an output of
> > valgrind with the crash to see whether an error code can be returned
> > instead of crash.
> I will try that.
> > > > I see that trousers comes with a PKCS #11 module (or they claim to).
> > > > I've never tried it, but doesn't it work?
> > > It does. But the TPM has never been designed to meet the PKCS#11 spec,
> > > so it requires for instance to set some keys to NULL. I could do that
> > > but I need to clear and reset my TPM to do that and I was hoping that I
> > > could prevent that. Maybe that is the next thing I try if I don't 
> > > manage
> > > to get the other function to work.
> >
> > This function works (I know it is used in windows which usually has no
> > pkcs #11), so if you have more issues let me know. Just make sure you
> > provide functions of the correct type (note that the parameters in
> > gnutls_privkey_sign_func are different than the old gnutls_sign_func).
> Aha, ok, that helps :) I will rewrite the sign callback then.
> > btw. If you manage to use the TPM with this, would be nice if you point
> > me to your code (if it is lgpl). Would be nice to have some code to 
> > use TPM.
> Yeah sure.
> > regards,
> > Nikos
>
>
> _______________________________________________
> Help-gnutls mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/help-gnutls