[tpm2] Re: Key Certification

[tpm2] Re: Key Certification

[s.schwebel]

[-- Attachment #1: Type: text/plain, Size: 186 bytes --]

I just discovered that openssl will accept key handles as well

openssl req -new -key 0x817FFFFF -engine tpm2tss -keyform engine -out key.csr -config csr.cnf

that solves my problem.

[tpm2] Re: Key Certification

[nicolasoliver03]

[-- Attachment #1: Type: text/plain, Size: 267 bytes --]

I have a gist with that :)

https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-enrollment-sh-L106

That one creates an ECC signing key, derives a CSR with tpm2tss engine, and certify the key with tpm2_makecredential and tpm2_activatecredential

[tpm2] Re: Key Certification

[Steffen]

[-- Attachment #1: Type: text/plain, Size: 1299 bytes --]

Hello,


On 20.01.20 16:38, Roberts, William C wrote:
>
>> -----Original Message-----
>> From: Steffen Schwebel [mailto:s.schwebel(a)uvensys.de]
>> Sent: Saturday, January 18, 2020 2:11 PM
>> To: tpm2 <tpm2(a)lists.01.org>
>> Subject: [tpm2] Key Certification
>>
>> Hello again,
>>
>> so I played around with tpm2 tools some more.
>> I managed to get TLS-EAP networking working with keys stored inside the crypto
>> chip
>>
>> Now I would like to prove that the secret keys used are really stored inside.
> The secret keys, as in AES or the private key as an asymmetric keypair like RSA or EC?

RSA keys. In this case, generated by tpm2tss-genkey. And those keys cant 
be loaded with tpm2_load right now, I think.
https://github.com/tpm2-software/tpm2-tss-engine/issues/39

> The secret session key, AFAIK, is not stored in the TPM because it would be way to slow.
> Just the initial private key for the asymmetric setup for the session key is stored in the TPM.
>
>> If I understand it correctly,  I should be able to just sign keys stored inside the
>> TPM with the AIK I created in a previous step.
>>
>> so, tpm2_load && tpm2_certify ?
> Pretty much, you can certify that the private half of a public key is in the TPM based on name.
Thanks. I suspected as much.

[tpm2] Re: Key Certification

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]



> -----Original Message-----
> From: Steffen Schwebel [mailto:s.schwebel(a)uvensys.de]
> Sent: Saturday, January 18, 2020 2:11 PM
> To: tpm2 <tpm2(a)lists.01.org>
> Subject: [tpm2] Key Certification
> 
> Hello again,
> 
> so I played around with tpm2 tools some more.
> I managed to get TLS-EAP networking working with keys stored inside the crypto
> chip
> 
> Now I would like to prove that the secret keys used are really stored inside.

The secret keys, as in AES or the private key as an asymmetric keypair like RSA or EC?

The secret session key, AFAIK, is not stored in the TPM because it would be way to slow.
Just the initial private key for the asymmetric setup for the session key is stored in the TPM.

> If I understand it correctly,  I should be able to just sign keys stored inside the
> TPM with the AIK I created in a previous step.
> 
> so, tpm2_load && tpm2_certify ?

Pretty much, you can certify that the private half of a public key is in the TPM based on name.

> 
> except there seems to be no way to load the keys I created with tpm2tss-
> genkey, right?
> 
> 
> regards,
> Steffen
> 
> --
> Steffen Schwebel
> Mail: s.schwebel(a)uvensys.de
> uvensys GmbH
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s