[ssh_x509] ssh_x509 Digest, Vol 64, Issue 1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Jul 20 01:05:37 EEST 2019

Hello Jon,

ssh_x509 at roumenpetrov.info wrote:
> Thanks for you reply, Roumen.

I' sorry for late reply, my mail box was full.

> I think we're takling about two different things here. The keys I'm referring to are actually RSA keys that are encrypted by a TPM (Trusted Platform Module). The TPM is a hardware component that contains a root encryption key that encrypts other keys that are generated.
10x, I will read more on this topic.

> So, the use case I'm thinking of is a user has a TPM generated RSA private key and a certificate chain. To present it to the server from the SSH client, it will need to load the encrypted TPM key using the OpenSSL TPM Engine, which calls the TrouSerS stack to load the key into the TPM so that it can be used for the challenge.
> The TrouSerS format for the TPM keys is a PEM-like format, so it may already work with pkix-ssh. The important part that would need to be added is OpenSSL TPM Engine support. The SSH Client would have to load the TPM engine, load the key (by a given filepath), and then internally use the key pointer returned by the Engine or authentication. The rest would be the RFC 6187 certificate auth provided by the pkix-ssh patch.
> What do you think about this use case? My reason for writing is because I may start adding support for this soon and wanted to make sure it's not something you think impossible.

OpenSSL engine has one limitation - lack relation between key and 
corresponding(matching) certificate.
This is resolved by custom command{s}.

Both are implemented in 
|||||LOAD_CERT_CTRL is supported as is implemented  in pkcs#11 engine.

Manual ssh_engine(5) describes specific to pkix-ssh engine configuration 
if global one cannot be used.
For instance e_nss has command CONFIG_DIR - path that is specific to the 

> Here is an example OpenSSL TPM Engine: https://github.com/ThomasHabets/openssl-tpm-engine
> Here is TrouSerS documentation: http://trousers.sourceforge.net/faq.html
> Thanks,
> Jon

More information about the ssh_x509 mailing list