[tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...

[Petr Gotthard <petr.gotthard at centrum.cz>]

[-- Attachment #1: Type: text/plain, Size: 6036 bytes --]

Could be separate the individual questions/issues, please? I am getting lost :)

The "command code not supported" error after Esys_CreateLoaded is a known issue:
https://github.com/tpm2-software/tpm2-openssl/issues/29

To set the hierarchy you may be able to use the "-pkeyopt parent" parameter.


Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com>
> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 26.04.2022 14:57
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>I was embarking on that and hit another snag:
>
>        $ tpm2_getcap ecc-curves
>      TPM2_ECC_NIST_P256: 0x3
>      TPM2_ECC_BN_P256: 0x10
>
>      $ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.priv
>      Warning: generating random key material may take a long time
>      if the system has a poor entropy source
>      WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
>      ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
>      genpkey: Error generating EC key
>      403C86A7007F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported
>
>I’m curious, does one have control over the hierarchy under which the key is created?
>
>Also, related to my initial query, the TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
>
>      0x1c00002:
>        name: 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7
>        hash algorithm:
>          friendly: sha256
>          value: 0xB
>        attributes:
>          friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
>          value: 0x1200762
>        size: 1177
>
>      0x1c0000a:
>        name: 000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041
>        hash algorithm:
>          friendly: sha256
>          value: 0xB
>        attributes:
>          friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
>          value: 0x1200762
>        size: 781
>
>I cannot retrieve them using openssl x509:
>
>      $ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
>      WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
>      ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
>      Could not read certificate from handle:0x1c0000a
>      405C04A14E7F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
>      Unable to load certificate
>
>      $ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002
>      WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
>      ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
>      Could not read certificate from handle:0x1c00002
>      40DC7060527F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
>      Unable to load certificate
>
>This does work; however:
>
>      bsci(a)ip-10-132-42-225:~/test$ tpm2_nvread -C p -s 781 0x1c0000a |openssl x509 -in /dev/stdin -inform der -noout -text
>      Certificate:
>          Data:
>              Version: 3 (0x2)
>              Serial Number: 756297432 (0x2d142ed8)
>              Signature Algorithm: ecdsa-with-SHA256
>              Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029
>              Validity
>                  Not Before: Sep 29 02:49:58 2021 GMT
>                  Not After : Sep 29 02:49:58 2036 GMT
>        …
>
>
>-----Original Message-----
>From: Petr Gotthard <petr.gotthard(a)centrum.cz>
>Sent: Tuesday, April 26, 2022 8:20 AM
>To: tpm2(a)lists.01.org
>Subject: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>Oh, I never tested the `openssl cms` commands. There may be something missing from the OpenSSL. What CMS functions you need? Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions? Something like a new (set of) test(s), similar e.g. to https://github.com/tpm2-software/tpm2-openssl/blob/master/test/ecdsa_genpkey_auth.sh.
>
>Petr
>______________________________________________________________
>> Od: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert(a)bsci.com>>
>> Komu: "tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
>> Datum: 26.04.2022 14:07
>> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>>
>>Thanks, Petr.  That did the trick (actually, base was sufficient).  In a similar vein, the corresponding private key is also held persistently in the TPM, handle 0x81800002.  I'm now attempting the following:
>>
>>        openssl cms -sign -provider tpm2 -provider default -in file.txt
>> -inkey handle:0x81800002 -signer handle:0x01000013
>>
>>I get no output, and a return value of 3.  I get the same result if I reference the public key certificate as a file:
>>
>>        openssl cms -sign -provider tpm2 -provider default -in file.txt
>> -inkey handle:0x81800002 -signer signer.pem
>>
>>Any insight on that would be appreciated…
>>
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>
>
>----------
>
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org
>To unsubscribe send an email to tpm2-leave(a)lists.01.org
>%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>