-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Shift from engine API to provider API for Debian 12 / OpenSSL 3 (#3965)
* Rename openssl.ts cryptography.ts Since we could one day use something other than OpenSSL for cryptographic operations * Shift from engine API to provider API for Debian 12 / OpenSSL 3
- Loading branch information
1 parent
10ee207
commit 327fb09
Showing
15 changed files
with
69 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,31 @@ | ||
/** | ||
* The name of the OpenSSL TPM engine that we're using | ||
* The ID of the TPM signing key, distinct from the TPM primary key | ||
*/ | ||
export const OPENSSL_TPM_ENGINE_NAME = 'tpm2tss'; | ||
const TPM_KEY_ID = '0x81000001'; | ||
|
||
/** | ||
* The ID of the TPM signing key, distinct from the TPM primary key | ||
* The name of the OpenSSL provider that we're using to interface with the TPM | ||
*/ | ||
export const TPM_KEY_ID = '0x81000001'; | ||
const TPM_OPENSSL_PROVIDER = 'tpm2'; | ||
|
||
/** | ||
* The password of the TPM signing key. Not required for our security model, just required by | ||
* OpenSSL, hence the dummy password. | ||
* Prepares the OpenSSL params necessary to use the TPM | ||
*/ | ||
export const TPM_KEY_PASSWORD = 'password'; | ||
export function tpmOpensslParams( | ||
opensslParam: '-CAkey' | '-key' | '-sign' | ||
): string[] { | ||
return [ | ||
opensslParam, | ||
`handle:${TPM_KEY_ID}`, | ||
'-provider', | ||
TPM_OPENSSL_PROVIDER, | ||
// When a provider is explicitly specified, the default OpenSSL provider is not automatically | ||
// loaded. But even when using the TPM OpenSSL provider, we still need the default provider for | ||
// operations outside the scope of the TPM provider. For example, when creating a cert, OpenSSL | ||
// needs to extract the public key from the cert signing request, which the TPM provider doesn't | ||
// support. See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-default.html for more | ||
// context. | ||
'-provider', | ||
'default', | ||
]; | ||
} |