From william.c.roberts at intel.com Tue Oct 9 17:28:59 2018 From: william.c.roberts at intel.com (Roberts, William C) Date: Tue, 9 Oct 2018 17:28:59 +0000 Subject: Installation Locations for P11 kit Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649C5657B@ORSMSX101.amr.corp.intel.com> Hello, I started a PKCS11 project for TPM 2.0 and we have this bug report: https://github.com/tpm2-software/tpm2-pkcs11/issues/28 I'm looking for guidance on how best to configure our settings to be compatible with P11 and best practices surrounding install locations. Any help/comments would be appreciated. Thanks, Bill From william.c.roberts at intel.com Tue Oct 9 18:24:09 2018 From: william.c.roberts at intel.com (Roberts, William C) Date: Tue, 9 Oct 2018 18:24:09 +0000 Subject: Installation Locations for P11 kit In-Reply-To: <7ff4f62699ef3d72755eae69fdacf4f34d2c01e5.camel@infradead.org> References: <476DC76E7D1DF2438D32BFADF679FC5649C5657B@ORSMSX101.amr.corp.intel.com> <7ff4f62699ef3d72755eae69fdacf4f34d2c01e5.camel@infradead.org> Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649C5666D@ORSMSX101.amr.corp.intel.com> > -----Original Message----- > From: David Woodhouse [mailto:dwmw2 at infradead.org] > Sent: Tuesday, October 9, 2018 1:45 PM > To: Roberts, William C ; p11- > glue at lists.freedesktop.org > Subject: Re: Installation Locations for P11 kit > > On Tue, 2018-10-09 at 17:28 +0000, Roberts, William C wrote: > > Hello, > > > > I started a PKCS11 project for TPM 2.0 and we have this bug report: > > https://github.com/tpm2-software/tpm2-pkcs11/issues/28 > > > > I'm looking for guidance on how best to configure our settings to be > > compatible with > > P11 and best practices surrounding install locations. > > > > Any help/comments would be appreciated. > > Really, do what it says in the ticket :) I actually didn't notice it was you that filed the ticket, now that I know the source it adds to the trust validity of the ticket. > > The ideal location for installing your provider library is obtained > thus: > > $ pkg-config --variable=p11_module_path p11-kit-1 > /usr/lib64/pkcs11 > > The location for your module file is given by this command: > > $ pkg-config --variable=p11_module_configs p11-kit-1 > /usr/share/p11-kit/modules > > > The idea is that you just install it, then it works everywhere. Any > well-behaved application can now take a PKCS#11 URI according to > RFC7512 instead of a filename for a key, and it'll find your token. > > See http://www.infradead.org/openconnect/pkcs11.html for an example of > how this works. I see you're at Intel, so you use OpenConnect for your > VPN. You should be able to import your key from ~/.certs into the TPM > PKCS#11 token, then OpenConnect should be able to use it from there. > From dwmw2 at infradead.org Tue Oct 9 18:28:41 2018 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 09 Oct 2018 19:28:41 +0100 Subject: Installation Locations for P11 kit In-Reply-To: <476DC76E7D1DF2438D32BFADF679FC5649C5666D@ORSMSX101.amr.corp.intel.com> References: <476DC76E7D1DF2438D32BFADF679FC5649C5657B@ORSMSX101.amr.corp.intel.com> <7ff4f62699ef3d72755eae69fdacf4f34d2c01e5.camel@infradead.org> <476DC76E7D1DF2438D32BFADF679FC5649C5666D@ORSMSX101.amr.corp.intel.com> Message-ID: On Tue, 2018-10-09 at 18:24 +0000, Roberts, William C wrote: > > -----Original Message----- > > From: David Woodhouse [mailto:dwmw2 at infradead.org] > > Sent: Tuesday, October 9, 2018 1:45 PM > > To: Roberts, William C ; p11- > > glue at lists.freedesktop.org > > Subject: Re: Installation Locations for P11 kit > > > > On Tue, 2018-10-09 at 17:28 +0000, Roberts, William C wrote: > > > Hello, > > > > > > I started a PKCS11 project for TPM 2.0 and we have this bug > > > report: > > > https://github.com/tpm2-software/tpm2-pkcs11/issues/28 > > > > > > I'm looking for guidance on how best to configure our settings to > > > be > > > compatible with > > > P11 and best practices surrounding install locations. > > > > > > Any help/comments would be appreciated. > > > > Really, do what it says in the ticket :) > > I actually didn't notice it was you that filed the ticket, now that I > know the source it adds to the trust validity of the ticket. :) cf. https://github.com/opendnssec/SoftHSMv2/pull/233/commit/f1de8e238e8beeefcc35bb281163403c9f53c6d9 Although it's been cleaned up more since then and now seems to live in https://github.com/opendnssec/SoftHSMv2/blob/develop/m4/acx_p11kit.m4 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: From dwmw2 at infradead.org Tue Oct 9 17:44:36 2018 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 09 Oct 2018 18:44:36 +0100 Subject: Installation Locations for P11 kit In-Reply-To: <476DC76E7D1DF2438D32BFADF679FC5649C5657B@ORSMSX101.amr.corp.intel.com> References: <476DC76E7D1DF2438D32BFADF679FC5649C5657B@ORSMSX101.amr.corp.intel.com> Message-ID: <7ff4f62699ef3d72755eae69fdacf4f34d2c01e5.camel@infradead.org> On Tue, 2018-10-09 at 17:28 +0000, Roberts, William C wrote: > Hello, > > I started a PKCS11 project for TPM 2.0 and we have this bug report: > https://github.com/tpm2-software/tpm2-pkcs11/issues/28 > > I'm looking for guidance on how best to configure our settings to be > compatible with > P11 and best practices surrounding install locations. > > Any help/comments would be appreciated. Really, do what it says in the ticket :) The ideal location for installing your provider library is obtained thus: $ pkg-config --variable=p11_module_path p11-kit-1 /usr/lib64/pkcs11 The location for your module file is given by this command: $ pkg-config --variable=p11_module_configs p11-kit-1 /usr/share/p11-kit/modules The idea is that you just install it, then it works everywhere. Any well-behaved application can now take a PKCS#11 URI according to RFC7512 instead of a filename for a key, and it'll find your token. See http://www.infradead.org/openconnect/pkcs11.html for an example of how this works. I see you're at Intel, so you use OpenConnect for your VPN. You should be able to import your key from ~/.certs into the TPM PKCS#11 token, then OpenConnect should be able to use it from there. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: