GnuTLS (tpmtools) api for signing data in a TPM

Question

Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).

At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.

Thank all!

Answer 1

The sequence of events is something like this:

1. Invoke gnutls_tpm_key_list_get_url to get the list of the TPM keys.
2. Choose the key you want to sign with from the list and import it with gnutls_privkey_import_tpm_url.
3. Now you have the gnutls_privkey_t object you can use with the abstract API just like any other key. In your case, you probably want to use gnutls_privkey_sign_data or one of the similar signing functions.

Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:

Note that we recommend against using TPM with this API because it is restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers for TPM such as CHAPS14 or opencryptoki15. These will allow using the standard smart card and HSM functionality (see Smart cards and HSMs) for TPM keys.