[tpm2] Re: {External} Re: OpenSSL 3 and TPM 2 vendor certs in NVRAM...

[Petr Gotthard <petr.gotthard at centrum.cz>]

[-- Attachment #1: Type: text/plain, Size: 3675 bytes --]

James,
there were some bugs in the NV processing and certificate parsing. Thank you for reporting them.

Everything should be fixed in the latest master branch. Please check if there are any issues.


Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com>
> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 27.04.2022 19:33
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and TPM 2 vendor certs in NVRAM...
>
>They are DER format. 
>
>-----Original Message-----
>From: Petr Gotthard <petr.gotthard(a)centrum.cz> 
>Sent: Wednesday, April 27, 2022 1:31 PM
>To: tpm2(a)lists.01.org
>Subject: {External} [tpm2] Re: OpenSSL 3 and TPM 2 vendor certs in NVRAM...
>
>Hi James,
>
>Loading certs from NV was also not tested and apparently doesn't work either.
>https://github.com/tpm2-software/tpm2-openssl/issues/35
>
>Please-- could you retrieve your cert from the NV and let me know whether it is DER (binary) or PEM (textual with -----BEGIN CERTIFICATE----- lines)?
>
>
>Petr
>______________________________________________________________
>> Od: "Sievert, James" <james.sievert(a)bsci.com>
>> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
>> Datum: 26.04.2022 15:18
>> Předmět: [tpm2] OpenSSL 3 and TPM 2 vendor certs in NVRAM...
>>
>>Hi,
>>
>>
>>The TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
>>
>>
>>0x1c00002:
>>
>>  name: 
>> 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7
>>  hash algorithm:
>>    friendly: sha256
>>    value: 0xB
>>  attributes:
>>    friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
>>    value: 0x1200762
>>  size: 1177
>>
>>0x1c0000a:
>>  name: 
>>000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041
>>  hash algorithm:
>>    friendly: sha256
>>    value: 0xB
>>  attributes:
>>    friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
>>    value: 0x1200762
>>  size: 781
>>
>>I cannot retrieve them using openssl x509:
>>
>>$ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
>>WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() 
>>Received TPM Error
>>ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys 
>>Finish ErrorCode (0x00000095) Could not read certificate from 
>>handle:0x1c0000a 405C04A14E7F0000:error:4000000C:tpm2::cannot load 
>>key::-1:149 tpm:handle(unk):structure is the wrong size Unable to load 
>>certificate
>>
>>$ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002
>>WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() 
>>Received TPM Error
>>ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys 
>>Finish ErrorCode (0x00000095) Could not read certificate from 
>>handle:0x1c00002 40DC7060527F0000:error:4000000C:tpm2::cannot load 
>>key::-1:149 tpm:handle(unk):structure is the wrong size Unable to load 
>>certificate
>>
>>This does work; however:
>>
>>bsci(a)ip-10-132-42-225:~/test$ tpm2_nvread -C p -s 781 0x1c0000a 
>>|openssl x509 -in /dev/stdin -inform der -noout -text
>>Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number: 756297432 (0x2d142ed8)
>>        Signature Algorithm: ecdsa-with-SHA256
>>        Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029
>>        Validity
>>            Not Before: Sep 29 02:49:58 2021 GMT
>>            Not After : Sep 29 02:49:58 2036 GMT
>>       ...
>>
>>
>>Thanks.