You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This would allow an abstration allowing customers to use keys embedded into hardware (TPM) or KMS systems that implement that interface.
Motivation
Right now users have to supply the raw private key to Config but with TPM, KMS or PKCS-11 systems, the key is not extractactable but is 'available' for use sometimes through a a crypto.signer interface:
Hiya! Thanks for raising this. I think this makes a lot of sense. I'd like to retain the "pass key directly" functionality though since that's what everyone is already using and is a very common way to use the tls library from stdlib too.
But I'm happy for something like this to be added and be tried before falling back to whatever may have been passed in the config for the raw key.
and fyi, atleast in go, the tls negotations uses SignatureAlgorithm: x509.SHA256WithRSAPSS for TLS but that'll be the responsiblity of the Signer thats passed (eg, for tpm singer i have (atleast for tls1.3 which i do't know even applies here)
Summary
Allow users to supply a crypto.Signer implementation instead of an actual private key to dtls.v2.Config.
This would allow an abstration allowing customers to use keys embedded into hardware (TPM) or KMS systems that implement that interface.
Motivation
Right now users have to supply the raw private key to Config but with TPM, KMS or PKCS-11 systems, the key is not extractactable but is 'available' for use sometimes through a a
crypto.signer
interface:eg for TPM
with this feature, a client on a device can use its embedded key for dtls connections
Additional context
some additional refernces (untested at scale)
JWT:
mTLS
The text was updated successfully, but these errors were encountered: