[stunnel-users] Stunnel with TPM engine !!!

dinesh.kallath at bt.com dinesh.kallath at bt.com
Wed Apr 19 14:43:46 CEST 2006


I am new to Stunnel and would like to know how to integrate the engine with Stunnel 4.15.

I am trying to integrate a Trusted Platform Module (TPM) engine which is compatible with OpenSSL to use with Stunnel so that the private key for SSL connection can be retrieved and stored in the hardware. I was able to configure the Stunnel config file to use the engine and it is loading the engine fine. The problem I am facing now is the key which stunnel tries to load can be loaded only by the engine, I mean it has to be loaded into the TPM to use it and stunnel tried to load it in the normal way.  Please find the debug output bellow,

# ./stunnel stunnel-engine.conf
2006.04.19 13:39:22 LOG7[1261:3086812864]: Enabling support for engine 'tpm'
DEBUG e_tpm_err.c:295 ERR_load_TPM_strings
DEBUG e_tpm_err.c:298 TPM_lib_error_code is 136
2006.04.19 13:39:22 LOG7[1261:3086812864]: Initializing engine
DEBUG e_tpm.c:336 tpm_engine_init
LOG_DEBUG TSPI ../tcsd_api/clntside.c:58 Sending TSP packet to host localhost.
LOG_DEBUG TSPI ../tcsd_api/clntside.c:74 Connecting to
LOG_DEBUG TSPI ../tcsd_api/tcstp.c:390 TCS_OpenContext_RPC_TP: Received TCS Context: 0xa0ef791d
2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine initialized
2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine closed
2006.04.19 13:39:22 LOG7[1261:3086812864]: Snagged 64 random bytes from /root/.rnd
DEBUG e_tpm.c:1151 tpm_rand_bytes getting 1024 bytes
LOG_DEBUG TSPI ../tcsd_api/tcstp.c:2488 TCSP_GetRandom_TP: TCS Context: 0xa0ef791d
2006.04.19 13:39:23 LOG7[1261:3086812864]: Wrote 1024 new random bytes to /root/.rnd
DEBUG e_tpm.c:1171 tpm_rand_status
2006.04.19 13:39:23 LOG7[1261:3086812864]: RAND_status claims sufficient entropy for the PRNG
2006.04.19 13:39:23 LOG6[1261:3086812864]: PRNG seeded successfully
DEBUG e_tpm.c:736 tpm_rsa_init
2006.04.19 13:39:23 LOG7[1261:3086812864]: Certificate: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.crt
2006.04.19 13:39:23 LOG7[1261:3086812864]: Key file: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.key
2006.04.19 13:39:23 LOG3[1261:3086812864]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2006.04.19 13:39:23 LOG3[1261:3086812864]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line

It is obvious from the debug that the Stunnel expect a private key file in PEM format but the whole issue is that the private key I have (created using TPM) is not in a PEM format, it is an encrypted file with root key used to encrypt stays inside the TPM hardware. I suppose we need to provide a key load function which loads the key into the TPM rather than using Stunnel.

It will be a great help if someone could provide me with some pointers on how to solve this, or please let me know if I am missing out something. Also do ask me if you need any further clarifications.

Many thanks,

Dinesh Kallath, CISSP
Research Professional, 
Security Research Centre
BT Group Chief Technology Office

Tel  :  +44 (0) 1473 643476
Fax :  +44 (0) 1473 646886
Mob:  +44 (0) 7952144553

Email: dinesh.kallath at bt.com
Post :  PP:2A, B28, Adastral Park, Ipswich IP5 3RE.

British Telecommunications plc
Registered office: 81 Newgate Street London EC1A 7AJ
Registered in England no. 1800000 
This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.
Activity and use of the British Telecommunications plc email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20060419/d7abfd35/attachment.html>

More information about the stunnel-users mailing list