OpenSSL: add support for TPM2-wrapped keys

Message ID	8fd6383f-74f5-64d0-c023-e59823a4d138@puzzle-itc.de
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> To: hostap@lists.infradead.org From: Daniel Kobras <kobras@puzzle-itc.de> Openpgp: preference=signencrypt Autocrypt: addr=kobras@puzzle-itc.de; keydata= mQGNBFuyIr8BDADfcwWSZafsIOyivFu+Bh3ynelaKS35BuF43EfZmmCmAKzpVrkqo0vYpWb+ GKn8wyyy+Z89BGvWjMmGQ5tUzIF+2cGgc3SoAeqSOY0CkUPC6ea0rKA/02LiEJR3ScUx5QU9 uz5H0Y7Xcj0MnqLFw6poZmZqVJ6i0YYNYB0/vtrsmZgRdbkCxq+PINdnCAva9ROkiOwW6iyy nmejJETfsy5wIuiVPJ/SyTtnQuBgGvESVzW46JRZS8+aD9PLip/nn0buJCQHZADswMnn62vV 3fNDCnPFo3z5c//jKm+0MesGEBNtdNdHdLyQy9HizvCE7zpV4HVhDGo8FV9JHReWRb4zv7Cc 6Ro3kKP7XTdEs1/qxxMtJakW+VY19tS+qFR9C4+PoaeK0/RS7GeI5SMxTHVI2xCkMwG1nNWB aZ14XDH1ieXjqQKQr/TCcNbfeZAXO021oqhUN6YKH0H6Iywu7Mos9syqCxFZ6KRYhKaZgJzP Jlb6iTcDyFZRbRldOnQiKkEAEQEAAbQxRGFuaWVsIEtvYnJhcyAoUHV6emxlIElUQykgPGtv YnJhc0BwdXp6bGUtaXRjLmRlPokBzgQTAQoAOBYhBM3oc+2tF4TjZ5+mipqV0zLLbB3XBQJb siK/AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJqV0zLLbB3XE1kMAIlngQYG6ufb sSPWbK+mqb9cvYkJrQkgdyNNMHd48MVBWMBq89ycfVnQi0DOzRNqXl6sX/dZQnb/ThWEDoFW wvKee2onXGGYVrAf3p1RRFxO1laKXeSECSJE4bru0Lo/mU4tnxOAa+3ugirgIpgvw19zN/Ic P9nnlFFyFoLecnc/jUN7BCNmCpjYsregRoKRBT68FGISFEwot2ut4IvP1u6V01JcMpDTtLKs u3QxbIkfkVIoyfVGZjWbFhtzl8qRE6Ug7esUHsBEsjvpb5OE9XCwHACn3c8yScKk7xI9dpXt bxIIokCJHMZBxO1Q7CUuGYGtAgb2k++/Wh5FxqDTkVglf2UH0nN5B03Sike8TDmZwW59iTiV r8sBAsKDizSzTzOESi7f3lcG90anNHf8oLBeMfzfUQZNypneZ/8R7CKzr6msICKhqrR8F9Ed 889RusI3CPb10OLDRBW4d19nTC5Hyvk4+7vtcenY8g5hGeqLHUgGn28rcK+qkjKr922HU7kB jQRbsiK/AQwAxUDhTjEPV9kluZ/Mo/B7Sq8D2aGzfiTQm1c2t5I8BrCbOIQr+t5p1i6wsbUw SXahmnHzqUSdLs62aT+i25RsUBMpplYepG66zT5q+7YoBzsh6Sl4zchVTAsDSpUhGFkSZ9mh 53G9Y3hbv36ROIYJOisWx8KdCG/HFjC8GaWDT5vgvUUL8u90qDXaot5VZXz5RP8+Y2LAfs1R Ys/9vd9R+93rDLfceDxDjWiXgUXMhywB8ZzC8ulEwWkzFniWQA09g1+w/9/zhTxD/obCCqQW cFhPvZAM7GV4Shx8VhKrsSqwZufVY0d6oA5rB16j/o2lw/2SMOVyZodj8ErwMTYsWsIUt4iG XEu0STSrihGz59YimfdHxKg9sFgwD43JcM3+2pXRSE3Q4oazr3TnyIT/dtlNbjtQOjT7apy9 xZG7kjjvbxjWBkdbmNCNG4te+ueT4Hi/HF5Yw/0xNeOq4WtAT8nGxOLVGLToqugb2P6nKXjF 0BDJu8S42/jSw4XByNsHABEBAAGJAbYEGAEKACAWIQTN6HPtrReE42efpoqaldMyy2wd1wUC W7IivwIbDAAKCRCaldMyy2wd12i4DACUIrpZZqCFVD/jngeYexLci/lmNIUh+pnw/1sI15O+ N4T7ISCUGLvO7ZFO1qCcLC/UrYxQD+qgBnmQ9mRHXFSiEXcTLQG9QB8h/uP/2ZqhZVjWLdZS NFVQBct2etq5NB+z484CT5PhYcpHMzWF8DwwoxqlGxd8MRZ4IEu5Gaa8ZYagZQvSRn/82y6j svvBhMidgy6FphmxOwzFgf9EmAToDTJ5Kp5250C/XU9YrPIlg6ALAI5iFlQf5NJIG1dnV3wJ xSUgDrMtHpfzP0eTFskimusVtsZmsA9SRyny1fiySsl9xm6bOtwmfmSgK1pQznTg5mMHKsgy m66zlacn8OBoZ16acBmNGZL2Du5UUlxsFDGgGNdiXwomLkEhtpPJZC4230d2ngQqLzfBA9CH orAjkyCQkC4vNM8gadJcCEmNW8jxQAFAEypFu9JewCA8DiPOIU2xPw27ocZVPuRQIwiAuF3Z p63U1j1sBdH4lyrWIu/HHjYDEL8+XTvqMCBEHuI= Organization: Puzzle ITC Deutschland GmbH Subject: [PATCH] OpenSSL: add support for TPM2-wrapped keys Message-ID: <8fd6383f-74f5-64d0-c023-e59823a4d138@puzzle-itc.de> Date: Tue, 2 Jul 2019 16:19:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 Content-Language: en-US summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:443 listed in] [list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: David Woodhouse <dwmw2@infradead.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	OpenSSL: add support for TPM2-wrapped keys \| expand OpenSSL: add support for TPM2-wrapped keys

Message ID

8fd6383f-74f5-64d0-c023-e59823a4d138@puzzle-itc.de

State

Accepted

Headers

To: hostap@lists.infradead.org
From: Daniel Kobras <kobras@puzzle-itc.de>
Openpgp: preference=signencrypt
Autocrypt: addr=kobras@puzzle-itc.de; keydata=
	mQGNBFuyIr8BDADfcwWSZafsIOyivFu+Bh3ynelaKS35BuF43EfZmmCmAKzpVrkqo0vYpWb+
	GKn8wyyy+Z89BGvWjMmGQ5tUzIF+2cGgc3SoAeqSOY0CkUPC6ea0rKA/02LiEJR3ScUx5QU9
	uz5H0Y7Xcj0MnqLFw6poZmZqVJ6i0YYNYB0/vtrsmZgRdbkCxq+PINdnCAva9ROkiOwW6iyy
	nmejJETfsy5wIuiVPJ/SyTtnQuBgGvESVzW46JRZS8+aD9PLip/nn0buJCQHZADswMnn62vV
	3fNDCnPFo3z5c//jKm+0MesGEBNtdNdHdLyQy9HizvCE7zpV4HVhDGo8FV9JHReWRb4zv7Cc
	6Ro3kKP7XTdEs1/qxxMtJakW+VY19tS+qFR9C4+PoaeK0/RS7GeI5SMxTHVI2xCkMwG1nNWB
	aZ14XDH1ieXjqQKQr/TCcNbfeZAXO021oqhUN6YKH0H6Iywu7Mos9syqCxFZ6KRYhKaZgJzP
	Jlb6iTcDyFZRbRldOnQiKkEAEQEAAbQxRGFuaWVsIEtvYnJhcyAoUHV6emxlIElUQykgPGtv
	YnJhc0BwdXp6bGUtaXRjLmRlPokBzgQTAQoAOBYhBM3oc+2tF4TjZ5+mipqV0zLLbB3XBQJb
	siK/AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJqV0zLLbB3XE1kMAIlngQYG6ufb
	sSPWbK+mqb9cvYkJrQkgdyNNMHd48MVBWMBq89ycfVnQi0DOzRNqXl6sX/dZQnb/ThWEDoFW
	wvKee2onXGGYVrAf3p1RRFxO1laKXeSECSJE4bru0Lo/mU4tnxOAa+3ugirgIpgvw19zN/Ic
	P9nnlFFyFoLecnc/jUN7BCNmCpjYsregRoKRBT68FGISFEwot2ut4IvP1u6V01JcMpDTtLKs
	u3QxbIkfkVIoyfVGZjWbFhtzl8qRE6Ug7esUHsBEsjvpb5OE9XCwHACn3c8yScKk7xI9dpXt
	bxIIokCJHMZBxO1Q7CUuGYGtAgb2k++/Wh5FxqDTkVglf2UH0nN5B03Sike8TDmZwW59iTiV
	r8sBAsKDizSzTzOESi7f3lcG90anNHf8oLBeMfzfUQZNypneZ/8R7CKzr6msICKhqrR8F9Ed
	889RusI3CPb10OLDRBW4d19nTC5Hyvk4+7vtcenY8g5hGeqLHUgGn28rcK+qkjKr922HU7kB
	jQRbsiK/AQwAxUDhTjEPV9kluZ/Mo/B7Sq8D2aGzfiTQm1c2t5I8BrCbOIQr+t5p1i6wsbUw
	SXahmnHzqUSdLs62aT+i25RsUBMpplYepG66zT5q+7YoBzsh6Sl4zchVTAsDSpUhGFkSZ9mh
	53G9Y3hbv36ROIYJOisWx8KdCG/HFjC8GaWDT5vgvUUL8u90qDXaot5VZXz5RP8+Y2LAfs1R
	Ys/9vd9R+93rDLfceDxDjWiXgUXMhywB8ZzC8ulEwWkzFniWQA09g1+w/9/zhTxD/obCCqQW
	cFhPvZAM7GV4Shx8VhKrsSqwZufVY0d6oA5rB16j/o2lw/2SMOVyZodj8ErwMTYsWsIUt4iG
	XEu0STSrihGz59YimfdHxKg9sFgwD43JcM3+2pXRSE3Q4oazr3TnyIT/dtlNbjtQOjT7apy9
	xZG7kjjvbxjWBkdbmNCNG4te+ueT4Hi/HF5Yw/0xNeOq4WtAT8nGxOLVGLToqugb2P6nKXjF
	0BDJu8S42/jSw4XByNsHABEBAAGJAbYEGAEKACAWIQTN6HPtrReE42efpoqaldMyy2wd1wUC
	W7IivwIbDAAKCRCaldMyy2wd12i4DACUIrpZZqCFVD/jngeYexLci/lmNIUh+pnw/1sI15O+
	N4T7ISCUGLvO7ZFO1qCcLC/UrYxQD+qgBnmQ9mRHXFSiEXcTLQG9QB8h/uP/2ZqhZVjWLdZS
	NFVQBct2etq5NB+z484CT5PhYcpHMzWF8DwwoxqlGxd8MRZ4IEu5Gaa8ZYagZQvSRn/82y6j
	svvBhMidgy6FphmxOwzFgf9EmAToDTJ5Kp5250C/XU9YrPIlg6ALAI5iFlQf5NJIG1dnV3wJ
	xSUgDrMtHpfzP0eTFskimusVtsZmsA9SRyny1fiySsl9xm6bOtwmfmSgK1pQznTg5mMHKsgy
	m66zlacn8OBoZ16acBmNGZL2Du5UUlxsFDGgGNdiXwomLkEhtpPJZC4230d2ngQqLzfBA9CH
	orAjkyCQkC4vNM8gadJcCEmNW8jxQAFAEypFu9JewCA8DiPOIU2xPw27ocZVPuRQIwiAuF3Z
	p63U1j1sBdH4lyrWIu/HHjYDEL8+XTvqMCBEHuI=
Organization: Puzzle ITC Deutschland GmbH
Subject: [PATCH] OpenSSL: add support for TPM2-wrapped keys
Message-ID: <8fd6383f-74f5-64d0-c023-e59823a4d138@puzzle-itc.de>
Date: Tue, 2 Jul 2019 16:19:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
	Thunderbird/60.7.1
MIME-Version: 1.0
Content-Language: en-US
Precedence: list
Cc: David Woodhouse <dwmw2@infradead.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

OpenSSL: add support for TPM2-wrapped keys | expand

Commit Message

Daniel Kobras July 2, 2019, 2:19 p.m. UTC

If the header of a PEM-formatted cert or key indicates that it is
wrapped with a TPM2 key, try to autoload the appropriate OpenSSL engine
that can transparently unwrap the key. This enables systems to use
TPM2-wrapped keys as drop-in replacements to ordinary SSL keys.

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
---
Hi!

This patch adds support for TPM2-wrapped keys, similar to what David
Woodhouse did in openconnect, and suggested earlier on this list for
wpa_supplicant as well. It requires
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/
to be installed as an openssl engine.

The match_line_in_file() helper function is rather generic. If there's a
better place to put it, please let me know.

Kind regards,

Daniel
---
 src/crypto/tls_openssl.c | 74 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

 #if OPENSSL_VERSION_NUMBER < 0x10100000L ||
defined(LIBRESSL_VERSION_NUMBER)
 	if (params->flags & TLS_CONN_EAP_FAST) {
@@ -4903,7 +4975,7 @@ int tls_connection_set_params(void *tls_ctx,
struct tls_connection *conn,
 	}

 	if (engine_id) {
-		wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine");
+		wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s", engine_id);
 		ret = tls_engine_init(conn, engine_id, params->pin,
 				      key_id, cert_id, ca_cert_id);
 		if (ret)

Comments

Daniel Kobras Aug. 7, 2019, 2:26 p.m. UTC | #1

Hi!

Am 02.07.19 um 16:19 schrieb Daniel Kobras:
> If the header of a PEM-formatted cert or key indicates that it is
> wrapped with a TPM2 key, try to autoload the appropriate OpenSSL engine
> that can transparently unwrap the key. This enables systems to use
> TPM2-wrapped keys as drop-in replacements to ordinary SSL keys.
> 
> Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
> ---

Any thoughts on the TPM2 below? NetworkManager has just release version
1.20 that includes a patch to pass through TPM2-wrapped PEM key files.
Corresponding support in wpa_supplicant now is the missing piece of the
puzzle to enable transparent support for TPM2-pinned keys with 802.1x
for desktop users. If there's anything else you want me to provide
regarding this patch, please let me know.

Kind regards,

Daniel

> Hi!
> 
> This patch adds support for TPM2-wrapped keys, similar to what David
> Woodhouse did in openconnect, and suggested earlier on this list for
> wpa_supplicant as well. It requires
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/
> to be installed as an openssl engine.
> 
> The match_line_in_file() helper function is rather generic. If there's a
> better place to put it, please let me know.
> 
> Kind regards,
> 
> Daniel
> ---
>  src/crypto/tls_openssl.c | 74 +++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 73 insertions(+), 1 deletion(-)
> 
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index 1073f6450..7f61f7560 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -4819,6 +4819,67 @@ static int ocsp_status_cb(SSL *s, void *arg)
> 
>  #endif /* HAVE_OCSP */
> 
> +static int match_lines_in_file(const char *path, const char **lines)
> +{
> +	FILE *f = NULL;
> +	const char **p;
> +	char *buf;
> +	size_t bufsize = 0;
> +	int found, is_linestart;
> +
> +	if (!path || !lines || !*lines)
> +		return 0;
> +
> +	for (p = lines; *p; p++) {
> +		size_t size = strlen(*p) + sizeof("\r\n");
> +		bufsize = (size > bufsize) ? size : bufsize;
> +	}
> +
> +	buf = os_malloc(bufsize);
> +	if (!buf)
> +		return 0;
> +
> +	f = fopen(path, "r");
> +	if (!f) {
> +		os_free(buf);
> +		return 0;
> +	}
> +
> +	found = 0;
> +	is_linestart = 1;
> +
> +	while (!found && fgets(buf, bufsize, f)) {
> +		int is_lineend;
> +		size_t buflen = strlen(buf);
> +
> +		buf[strcspn(buf, "\r\n")] = '\0';
> +		is_lineend = strlen(buf) < buflen;
> +
> +		if (is_linestart && is_lineend) {
> +			for (p = lines; !found && *p; p++) {
> +				found = !os_strcmp(buf, *p);
> +			}
> +		}
> +		is_linestart = is_lineend;
> +	}
> +
> +	fclose(f);
> +	os_free(buf);
> +
> +	return found;
> +}
> +
> +static int is_tpm2_key(const char *path)
> +{
> +	/* Check both new and old format of TPM2 PEM guard tag */
> +	const char *tpm2_tags[] = {
> +		"-----BEGIN TSS2 PRIVATE KEY-----",
> +		"-----BEGIN TSS2 KEY BLOB-----",
> +		NULL
> +	};
> +
> +	return match_lines_in_file(path, tpm2_tags);
> +}
> 
>  int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
>  			      const struct tls_connection_params *params)
> @@ -4872,6 +4933,17 @@ int tls_connection_set_params(void *tls_ctx,
> struct tls_connection *conn,
>  	if (can_pkcs11 == 2 && !engine_id)
>  		engine_id = "pkcs11";
> 
> +	/* If private_key points to a TPM2-wrapped key, automatically enable
> +	 * tpm2 engine and use it to unwrap the key. */
> +	if (!engine_id || os_strcmp(engine_id, "tpm2")) {
> +		if (is_tpm2_key(params->private_key)) {
> +			wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
> +			           params->private_key);
> +			key_id = key_id ? key_id : params->private_key;
> +			engine_id = engine_id ? engine_id : "tpm2";
> +		}
> +	}
> +
>  #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) ||
> defined(EAP_SERVER_FAST)
>  #if OPENSSL_VERSION_NUMBER < 0x10100000L ||
> defined(LIBRESSL_VERSION_NUMBER)
>  	if (params->flags & TLS_CONN_EAP_FAST) {
> @@ -4903,7 +4975,7 @@ int tls_connection_set_params(void *tls_ctx,
> struct tls_connection *conn,
>  	}
> 
>  	if (engine_id) {
> -		wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine");
> +		wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s", engine_id);
>  		ret = tls_engine_init(conn, engine_id, params->pin,
>  				      key_id, cert_id, ca_cert_id);
>  		if (ret)
>

Jouni Malinen Dec. 29, 2019, 9:55 a.m. UTC | #2

On Tue, Jul 02, 2019 at 04:19:38PM +0200, Daniel Kobras wrote:
> If the header of a PEM-formatted cert or key indicates that it is
> wrapped with a TPM2 key, try to autoload the appropriate OpenSSL engine
> that can transparently unwrap the key. This enables systems to use
> TPM2-wrapped keys as drop-in replacements to ordinary SSL keys.

Thanks, applied.

David Woodhouse Dec. 29, 2019, 11:42 a.m. UTC | #3

On 29 December 2019 09:55:41 GMT, Jouni Malinen <j@w1.fi> wrote:
>On Tue, Jul 02, 2019 at 04:19:38PM +0200, Daniel Kobras wrote:
>> If the header of a PEM-formatted cert or key indicates that it is
>> wrapped with a TPM2 key, try to autoload the appropriate OpenSSL
>engine
>> that can transparently unwrap the key. This enables systems to use
>> TPM2-wrapped keys as drop-in replacements to ordinary SSL keys.
>
>Thanks, applied.
>

cf. https://github.com/tpm2-software/tpm2-tss-engine/issues/28

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1073f6450..7f61f7560 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -4819,6 +4819,67 @@  static int ocsp_status_cb(SSL *s, void *arg)

 #endif /* HAVE_OCSP */

+static int match_lines_in_file(const char *path, const char **lines)
+{
+	FILE *f = NULL;
+	const char **p;
+	char *buf;
+	size_t bufsize = 0;
+	int found, is_linestart;
+
+	if (!path || !lines || !*lines)
+		return 0;
+
+	for (p = lines; *p; p++) {
+		size_t size = strlen(*p) + sizeof("\r\n");
+		bufsize = (size > bufsize) ? size : bufsize;
+	}
+
+	buf = os_malloc(bufsize);
+	if (!buf)
+		return 0;
+
+	f = fopen(path, "r");
+	if (!f) {
+		os_free(buf);
+		return 0;
+	}
+
+	found = 0;
+	is_linestart = 1;
+
+	while (!found && fgets(buf, bufsize, f)) {
+		int is_lineend;
+		size_t buflen = strlen(buf);
+
+		buf[strcspn(buf, "\r\n")] = '\0';
+		is_lineend = strlen(buf) < buflen;
+
+		if (is_linestart && is_lineend) {
+			for (p = lines; !found && *p; p++) {
+				found = !os_strcmp(buf, *p);
+			}
+		}
+		is_linestart = is_lineend;
+	}
+
+	fclose(f);
+	os_free(buf);
+
+	return found;
+}
+
+static int is_tpm2_key(const char *path)
+{
+	/* Check both new and old format of TPM2 PEM guard tag */
+	const char *tpm2_tags[] = {
+		"-----BEGIN TSS2 PRIVATE KEY-----",
+		"-----BEGIN TSS2 KEY BLOB-----",
+		NULL
+	};
+
+	return match_lines_in_file(path, tpm2_tags);
+}

 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 			      const struct tls_connection_params *params)
@@ -4872,6 +4933,17 @@  int tls_connection_set_params(void *tls_ctx,
struct tls_connection *conn,
 	if (can_pkcs11 == 2 && !engine_id)
 		engine_id = "pkcs11";

+	/* If private_key points to a TPM2-wrapped key, automatically enable
+	 * tpm2 engine and use it to unwrap the key. */
+	if (!engine_id || os_strcmp(engine_id, "tpm2")) {
+		if (is_tpm2_key(params->private_key)) {
+			wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
+			           params->private_key);
+			key_id = key_id ? key_id : params->private_key;
+			engine_id = engine_id ? engine_id : "tpm2";
+		}
+	}
+
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) ||
defined(EAP_SERVER_FAST)

OpenSSL: add support for TPM2-wrapped keys

Commit Message

Comments

Patch