[gnutls-devel] Proposal for the ASN.1 form of TPM1.2 and TPM2 keys

James Bottomley James.Bottomley at HansenPartnership.com
Sat Dec 24 17:13:50 CET 2016

On Sat, 2016-12-24 at 14:25 +0100, Nikos Mavrogiannopoulos wrote:
> On Fri, Dec 23, 2016 at 7:06 PM, James Bottomley
> <James.Bottomley at hansenpartnership.com> wrote:
> > The reason this comes about is because we already have a standard 
> > form for TPM 1.2 keys here:
> > http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#ide
> > nt-tpm
> > However, since I'm working on TPM2 enabling for openssl and gnutls, 
> > I need to come up with a new key format because TPM2 requires some
> > extra parameters and the original TSS KEY BLOB, being a single
> > ASN1_OCTET_STRING isn't expandable.
> [...]
> > I'm torn on where to get the OIDs from.  Since this is a TPM key, 
> > it might make sense to use the TCG OID (2.23.133) and just add
> > something they haven't already used, like 10 for key formats, or we 
> > could go with a pkcs OID (1.2.840.113549.1)
> OIDs under some umbrella normally need to be registered within the
> organization they belong to. If you cannot find a suitable
> organization to get these OIDs from I'll check whether we can get
> something under redhat's OIDs.

I think, since it's a key format, the two above are the potential ones.
 It would be TCG if they want to take it into their standard, otherwise
PKCS is RSA Inc.

> > If we can agree on this, we can update David's document and make it 
> > a formal RFC.
> Shouldn't version be first?

I put OID first because that's what makes the structure self
describing.  You simply need to look for the SEQUENCE OBJECT OID
prefix.  We can easily register our own, of course as well.  If version
goes first, you have a variable prefix.

>  However, I'm not sure how expandable is ASN.1 using version fields 
> (I've seen no structure being able to be re-used using a different 
> version). An alternative approach would to allow for future 
> extensions, i.e., something like the PKIX Extension field, which is
> an OID+data.

As long as the expansion fields are optional, it works nicely.  X509
and X509v3 are examples of version expanded ASN.1


More information about the Gnutls-devel mailing list