irtimmer/tpm2-pk11

Can we support other key types including ECDSA?

Opened this issue · 0 comments

  1. ssh-keygen support "RSA, DSA, ECDSA, ED25519" keys by default.
    Currently, we only have implemented RSA in libtpm2-pk11.so.
    But "ssh-keygen -t ecdsa -D libtpm2-pk11.so" doesn't work as I expected.
    For example:

Both

     ssh-keygen -t ecdsa -D /usr/local/lib/libtpm2-pk11.so
     ssh-keygen -t rsa -D /usr/local/lib/libtpm2-pk11.so

will both output RSA key format.
I guess it might be a bug so ssh-keygen didn't check which mechanism was supported by pkcs module through "C_GetMechanismList()".


  1. Since we have already implemented "C_GetMechanismList()" in libtpm2-pk11.so.
    Here is a tool named pkcs11-tool from the OpenSC project.
    It can be used to debug our PKCS11 module, for example:
$ sudo apt-get install -y opensc
...
$ pkcs11-tool --module /usr/local/lib/libtpm2-pk11.so --list-mechanisms
Using slot 0 with a present token (0x1234)
Supported mechanisms:
  RSA-PKCS

To create an ECDSA key using tpm2-tools, we only replace "tpm2_create -G 0x01" into "-G 0x23", for example:

# TPM 2.0 Primary-object node was still an RSA node
tpm2_createprimary -H o -g sha256 -G rsa -C po.ctx
# Note: the legacy tpm2-tools branch 2.X command was "tpm2_createprimary -A o -g 0x000b -G 0x0001 -C po.ctx"

# Sub-node created with "-G 0x23" means TPM_ALG_ECC algorithm.
tpm2_create -c po.ctx -g 0x000b -G 0x0023 -o ecckey.pub -O ecckey.priv
tpm2_load -c po.ctx -u ecckey.pub -r ecckey.priv -n key.name -C eccobj.ctx
tpm2_evictcontrol -A o -c eccobj.ctx -S 0x81010011

# list all persistent keys
tpm2_listpersistent