{"id":30021964,"url":"https://github.com/mgerstner/openssl_tpm_engine","last_synced_at":"2025-08-06T03:42:02.064Z","repository":{"id":154303742,"uuid":"114392693","full_name":"mgerstner/openssl_tpm_engine","owner":"mgerstner","description":"An OpenSSL Engine that interfaces with the TrouSerS tpm 1.2 stack (fork of official upstream on SourceForge, featuring OpenSSL 1.1 support)","archived":false,"fork":false,"pushed_at":"2024-12-30T10:34:28.000Z","size":181,"stargazers_count":10,"open_issues_count":1,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-12-30T11:29:52.715Z","etag":null,"topics":["cryptography-tools","openssl","rsa","tpm","tss"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgerstner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-15T16:54:04.000Z","updated_at":"2024-12-30T10:34:31.000Z","dependencies_parsed_at":null,"dependency_job_id":"8287ccef-64dc-472c-83bb-1e027af1f806","html_url":"https://github.com/mgerstner/openssl_tpm_engine","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mgerstner/openssl_tpm_engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgerstner%2Fopenssl_tpm_engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgerstner%2Fopenssl_tpm_engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgerstner%2Fopenssl_tpm_engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgerstner%2Fopenssl_tpm_engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgerstner","download_url":"https://codeload.github.com/mgerstner/openssl_tpm_engine/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgerstner%2Fopenssl_tpm_engine/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269016287,"owners_count":24345160,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-06T02:00:09.910Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography-tools","openssl","rsa","tpm","tss"],"created_at":"2025-08-06T03:41:56.374Z","updated_at":"2025-08-06T03:42:02.027Z","avatar_url":"https://github.com/mgerstner.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# README for the *forked* OpenSSL 1.0.x/1.1.x TPM engine\n\n- Original Author: Kent Yoder \u003ckyoder@users.sf.net\u003e\n- Fork Maintainer: Matthias Gerstner \u003cmatthias.gerstner@suse.com\u003e\n- Report bugs: via GitHub issues or direct email\n\n## About\n\nThis package contains two sets of code, a command-line utility used to\ngenerate a TSS key blob and write it to disk and an OpenSSL engine which\ninterfaces with the TSS API.\n\nSince the\n[original upstream\nproject](https://sourceforge.net/p/trousers/openssl_tpm_engine/ci/master/tree/)\nis unresponsive I have forked the code base and moved it to GitHub. The main\nreason for this is the compatibility with OpenSSL 1.1 which requires major\nchanges to the OpenSSL APIs used and the build system.\n\nAt the moment this code works against both OpenSSL 1.0.x and 1.1.x versions.\nIn the future support for 1.0.x may be dropped.\n\n## Building\n\nRequirements:\n\n- OpenSSL 1.0.x or 1.1.x version\n- TrouSerS TSS 1.2 stack\n\nBy default, the build will look for the OpenSSL libraries via `pkg-config`.\nYou can choose a custom OpenSSL to build against using the `--with-openssl`\nswitch.\n\n```sh\n$ configure [--enable-debug] [--with-openssl=/path/to/custom/openssl] [--with-enginedir=/path/to/engines] \n$ make\n# make install\n```\n\n## Differences between OpenSSL 1.0 and 1.1\n\nDepending on the Linux distribution used the OpenSSL engines are possibly\ninstalled in different directories for OpenSSL 1.0 and OpenSSL 1.1. Also the\nnaming scheme for OpenSSL engines has changed. In OpenSSL 1.0 they are named\nlike regular libraries (i.e. `libtpm.so`) and in OpenSSL 1.1 they are named\nlike plugins (i.e. `tpm.so`).\n\nThe OpenSSL core libraries will fail to load engines using an incompatible\nnaming scheme. Therefore the tpm engine build system adjusts the target name\ndynamically depending on whether the build is against OpenSSL 1.0 or OpenSSL\n1.1.\n\n## Running\n\n```sh\ncreate_tpm_key\n\n        create_tpm_key: create a TPM key and write it to disk\n        usage: create_tpm_key [options] \u003cfilename\u003e\n\n        Options:\n                -e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n                -q|--sig-scheme signature scheme to use [DER] or SHA1\n                -s|--key-size   key size in bits [2048]\n                -a|--auth       require a password for the key [NO]\n                -p|--popup      use TSS GUI popup dialogs to get the password\n\t\t\t\tfor the key [NO] (implies --auth)\n```\n\n- Key type: The TPM key type of the key created will be legacy, so that it can\n  be used for both signing and encryption.\n\n- Padding schemes:  Choosing the encryption and signature schemes at key\n  creation time is mandatory because of the structure of a TPM key blob.  Once\n  a key is created by the TPM, the encryption and signature schemes are set in\n  store and cannot be changed without corrupting the key (making it unloadable\n  into a TPM). Here are the trade-offs:\n\n- Encryption schemes:\n\n    * PKCSV15 encryption scheme - all encrypted data will be padded using the\n    PKCSv1.5 padding algorithm. OAEP padding is considered more secure, but\n    many legacy apps will require PKCSv1.5 (most notably openssl). PKCSV15\n    padding will also allow a slightly larger chunk of data to be encrypted in\n    one operation.\n\n    * OAEP encryption scheme - all encrypted data will be padded using the OAEP\n    padding algorithm.\n\n- Signature schemes:\n\n    * DER signature scheme - assumes data to be signed is DER encoded (although\n    this is not required). Will allow signatures to be made of arbitrary\n    size, up to the size the padding will allow.\n    * SHA1 signature scheme - assumes *all* data to be signed is a SHA1 hash.\n    This restricts the data size to be signed to 20 bytes, always.\n\n- Defaults:\n\n    * Key sizes: Default=2048 bits. Other valid sizes are 512 and 1024 bits.\n\n    * Key auth: Default=none. if `-a` is specified, you will be prompted on the\n    command line using OpenSSL for a passphrase. This passphrase is SHA1\n    hashed by the TSS and used as the key's password. At key load time, you'll\n    be prompted for the passphrase again by OpenSSL. If `-p` is specified,\n    you'll get a GUI  prompt for password.\n\n## Password Usage\n\nIn order to make the TPM engine prompt you for your password, add the\nfollowing code to your app:\n\n- To set the SRK password explicitly in your code, do:\n```c\nENGINE_ctrl_cmd(e, \"PIN\", 0, SRK_password, NULL, 0);\n```\n\n- The default secret mode is `TSS_SECRET_MODE_PLAIN`, so the above code will\nalways work with a plaintext SRK secret.  If you have the hash of your secret,\ndo this:\n```c\nENGINE_ctrl_cmd(e, \"SECRET_MODE\", TSS_SECRET_MODE_SHA1, NULL, NULL, 0);\nENGINE_ctrl_cmd(e, \"PIN\", 0, SRK_password_hash, NULL, 0);\n```\n\n- To force the TSS to popup a dialog prompting you for your SRK password:\n```c\nENGINE_ctrl_cmd(e, \"SECRET_MODE\", TSS_SECRET_MODE_POPUP, NULL, NULL, 0);\n```\n\n## Engine Configuration\n\nIncluded in this package is a sample `openssl.cnf` file, which can be used to\nturn on use of the TPM engine in apps where OpenSSL config support is compiled\nin.\n\n\n## Use Cases\n\nIf there's a use case for the TPM engine that you'd like to see it support,\nplease drop a line to trousers-users@lists.sf.net.\n\nExamples:\n\nCreate a self-signed cert using the TPM engine:\n\n1. Generate a TPM key and write it to a file:\n```sh\n$ create_tpm_key \u003ckeyfilename\u003e\n```\n2. Make the openssl certificate request:\n```sh\n$ openssl req -keyform engine -engine tpm -key \u003ckeyfilename\u003e -new -x509 -days 365 -out \u003ccertfilename\u003e\n```\n3. Test using openssl:\n```sh\n$ openssl s_server -cert \u003ccertfilename\u003e -www -accept 4433 -keyform engine -engine tpm -key \u003ckeyfilename\u003e\n$ konqueror https://localhost:4433\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgerstner%2Fopenssl_tpm_engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgerstner%2Fopenssl_tpm_engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgerstner%2Fopenssl_tpm_engine/lists"}