* [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
@ 2022-04-26 13:09 Petr Gotthard
0 siblings, 0 replies; 5+ messages in thread
From: Petr Gotthard @ 2022-04-26 13:09 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 6036 bytes --]
Could be separate the individual questions/issues, please? I am getting lost :)
The "command code not supported" error after Esys_CreateLoaded is a known issue:
https://github.com/tpm2-software/tpm2-openssl/issues/29
To set the hierarchy you may be able to use the "-pkeyopt parent" parameter.
Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com>
> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 26.04.2022 14:57
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>I was embarking on that and hit another snag:
>
> $ tpm2_getcap ecc-curves
> TPM2_ECC_NIST_P256: 0x3
> TPM2_ECC_BN_P256: 0x10
>
> $ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.priv
> Warning: generating random key material may take a long time
> if the system has a poor entropy source
> WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
> genpkey: Error generating EC key
> 403C86A7007F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported
>
>I’m curious, does one have control over the hierarchy under which the key is created?
>
>Also, related to my initial query, the TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
>
> 0x1c00002:
> name: 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7
> hash algorithm:
> friendly: sha256
> value: 0xB
> attributes:
> friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
> value: 0x1200762
> size: 1177
>
> 0x1c0000a:
> name: 000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041
> hash algorithm:
> friendly: sha256
> value: 0xB
> attributes:
> friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
> value: 0x1200762
> size: 781
>
>I cannot retrieve them using openssl x509:
>
> $ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
> WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
> Could not read certificate from handle:0x1c0000a
> 405C04A14E7F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
> Unable to load certificate
>
> $ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002
> WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
> Could not read certificate from handle:0x1c00002
> 40DC7060527F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
> Unable to load certificate
>
>This does work; however:
>
> bsci(a)ip-10-132-42-225:~/test$ tpm2_nvread -C p -s 781 0x1c0000a |openssl x509 -in /dev/stdin -inform der -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 756297432 (0x2d142ed8)
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029
> Validity
> Not Before: Sep 29 02:49:58 2021 GMT
> Not After : Sep 29 02:49:58 2036 GMT
> …
>
>
>-----Original Message-----
>From: Petr Gotthard <petr.gotthard(a)centrum.cz>
>Sent: Tuesday, April 26, 2022 8:20 AM
>To: tpm2(a)lists.01.org
>Subject: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>Oh, I never tested the `openssl cms` commands. There may be something missing from the OpenSSL. What CMS functions you need? Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions? Something like a new (set of) test(s), similar e.g. to https://github.com/tpm2-software/tpm2-openssl/blob/master/test/ecdsa_genpkey_auth.sh.
>
>Petr
>______________________________________________________________
>> Od: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert(a)bsci.com>>
>> Komu: "tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
>> Datum: 26.04.2022 14:07
>> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>>
>>Thanks, Petr. That did the trick (actually, base was sufficient). In a similar vein, the corresponding private key is also held persistently in the TPM, handle 0x81800002. I'm now attempting the following:
>>
>> openssl cms -sign -provider tpm2 -provider default -in file.txt
>> -inkey handle:0x81800002 -signer handle:0x01000013
>>
>>I get no output, and a return value of 3. I get the same result if I reference the public key certificate as a file:
>>
>> openssl cms -sign -provider tpm2 -provider default -in file.txt
>> -inkey handle:0x81800002 -signer signer.pem
>>
>>Any insight on that would be appreciated…
>>
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>
>
>----------
>
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org
>To unsubscribe send an email to tpm2-leave(a)lists.01.org
>%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
@ 2022-04-26 14:24 Sievert, James
0 siblings, 0 replies; 5+ messages in thread
From: Sievert, James @ 2022-04-26 14:24 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]
> Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions?
Tell you what, I'll frame the test sequences in terms of the tpm2tss engine commands as I can verify correct syntax and command operation. I'll assume for the time being that the necessary keys and certs are stored in TPM NVRAM through tpm2_* commands.
The a good start to testing would be something to the effect:
echo "this is some text" >file.txt
openssl cms -sign -engine tpm2tss -keyform engine -inkey 0x81800002 -signer signer.pem -in file.txt -binary -nodetach -out file.sig
(note that although the tpm2tss engine doesn't support it, the signer could also be given as a handle to the tpm2 provider)
openssl cms -verify -in file.sig -binary -noverify
(note that you can remove the -noverify and point to a truststore if necessary with -CApath /somewhere/truststore)
openssl cms -encrypt -recip signer.pem -in file.txt -out file.enc
(note that although the tpm2tss engine doesn't support it, the recip could also be given as a handle to the tpm2 provider)
openssl cms -decrypt -engine tpm2tss -keyform engine -inkey 0x81800002 -in file.enc -recip signer.pem
(note that this command doesn't work with the tpm2tss engine. See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1962549.)
openssl cms -encrypt -sign...
(the cms command can encrypt, sign, and bundle everything into an output with a single command -- the syntax is a combination of what's above)
openssl cms -verify -decrypt ...
(the cms command can verify and decrypt an input with a single command -- the syntax is a combination of what's above)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
@ 2022-04-26 12:57 Sievert, James
0 siblings, 0 replies; 5+ messages in thread
From: Sievert, James @ 2022-04-26 12:57 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5120 bytes --]
I was embarking on that and hit another snag:
$ tpm2_getcap ecc-curves
TPM2_ECC_NIST_P256: 0x3
TPM2_ECC_BN_P256: 0x10
$ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.priv
Warning: generating random key material may take a long time
if the system has a poor entropy source
WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
genpkey: Error generating EC key
403C86A7007F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported
I’m curious, does one have control over the hierarchy under which the key is created?
Also, related to my initial query, the TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
0x1c00002:
name: 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 1177
0x1c0000a:
name: 000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 781
I cannot retrieve them using openssl x509:
$ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
Could not read certificate from handle:0x1c0000a
405C04A14E7F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
Unable to load certificate
$ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
Could not read certificate from handle:0x1c00002
40DC7060527F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
Unable to load certificate
This does work; however:
bsci(a)ip-10-132-42-225:~/test$ tpm2_nvread -C p -s 781 0x1c0000a |openssl x509 -in /dev/stdin -inform der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 756297432 (0x2d142ed8)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029
Validity
Not Before: Sep 29 02:49:58 2021 GMT
Not After : Sep 29 02:49:58 2036 GMT
…
-----Original Message-----
From: Petr Gotthard <petr.gotthard(a)centrum.cz>
Sent: Tuesday, April 26, 2022 8:20 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
Oh, I never tested the `openssl cms` commands. There may be something missing from the OpenSSL. What CMS functions you need? Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions? Something like a new (set of) test(s), similar e.g. to https://github.com/tpm2-software/tpm2-openssl/blob/master/test/ecdsa_genpkey_auth.sh.
Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert(a)bsci.com>>
> Komu: "tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
> Datum: 26.04.2022 14:07
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>Thanks, Petr. That did the trick (actually, base was sufficient). In a similar vein, the corresponding private key is also held persistently in the TPM, handle 0x81800002. I'm now attempting the following:
>
> openssl cms -sign -provider tpm2 -provider default -in file.txt
> -inkey handle:0x81800002 -signer handle:0x01000013
>
>I get no output, and a return value of 3. I get the same result if I reference the public key certificate as a file:
>
> openssl cms -sign -provider tpm2 -provider default -in file.txt
> -inkey handle:0x81800002 -signer signer.pem
>
>Any insight on that would be appreciated…
>
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 12749 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
@ 2022-04-26 12:20 Petr Gotthard
0 siblings, 0 replies; 5+ messages in thread
From: Petr Gotthard @ 2022-04-26 12:20 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]
Oh, I never tested the `openssl cms` commands. There may be something missing from the OpenSSL. What CMS functions you need? Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions? Something like a new (set of) test(s), similar e.g. to https://github.com/tpm2-software/tpm2-openssl/blob/master/test/ecdsa_genpkey_auth.sh.
Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com>
> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 26.04.2022 14:07
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>Thanks, Petr. That did the trick (actually, base was sufficient). In a similar vein, the corresponding private key is also held persistently in the TPM, handle 0x81800002. I'm now attempting the following:
>
> openssl cms -sign -provider tpm2 -provider default -in file.txt -inkey handle:0x81800002 -signer handle:0x01000013
>
>I get no output, and a return value of 3. I get the same result if I reference the public key certificate as a file:
>
> openssl cms -sign -provider tpm2 -provider default -in file.txt -inkey handle:0x81800002 -signer signer.pem
>
>Any insight on that would be appreciated…
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
@ 2022-04-26 12:06 Sievert, James
0 siblings, 0 replies; 5+ messages in thread
From: Sievert, James @ 2022-04-26 12:06 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5956 bytes --]
Thanks, Petr. That did the trick (actually, base was sufficient). In a similar vein, the corresponding private key is also held persistently in the TPM, handle 0x81800002. I'm now attempting the following:
openssl cms -sign -provider tpm2 -provider default -in file.txt -inkey handle:0x81800002 -signer handle:0x01000013
I get no output, and a return value of 3. I get the same result if I reference the public key certificate as a file:
openssl cms -sign -provider tpm2 -provider default -in file.txt -inkey handle:0x81800002 -signer signer.pem
Any insight on that would be appreciated…
-----Original Message-----
From: Petr Gotthard <petr.gotthard(a)centrum.cz>
Sent: Tuesday, April 26, 2022 7:42 AM
To: Sievert, James <james.sievert(a)bsci.com>; tpm2(a)lists.01.org
Subject: {External} Re: [tpm2] OpenSSL 3 and tpm2 provider...
Hello,
you may be missing "-provider default", please try
$ openssl x509 -provider tpm2 -provider default -in handle:0x01000013 -noout -text
Some explanation why is that is here:
https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/initialization.md#loading-multiple-providers
Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert(a)bsci.com>>
> Komu: "tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
> Datum: 26.04.2022 13:32
> Předmět: [tpm2] OpenSSL 3 and tpm2 provider...
>
>Hi,
>
>I'm using the following OpenSSL version under Ubuntu 22.04: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022).
>
>I have an EC public key certificate held persistently in a TPM 2.0, handle 0x01000013. I'm attempting the following:
>
>$ openssl x509 -provider tpm2 -in handle:0x01000013 -noout -text
>
>and finding that OpenSSL x509 is unable to load the public key:
>
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 9177472452311271732 (0x7f5cee922ff24934)
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: CN = aaaa, OU = yyyy, O = zzzz
> Validity
> Not Before: Apr 25 16:43:35 2022 GMT
> Not After : Dec 31 12:00:00 2045 GMT
> Subject: CN = xxxx, OU = yyyy, O = zzzz
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Unable to load Public Key
>402C48BB567F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
>402C48BB567F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Authority Key Identifier:
> B0:06:08:77:FC:C0:3B:0A:F5:8E:0C:B8:F1:DE:A9:55:8B:E5:F1:79
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, Code Signing, E-mail Protection, TLS Web Server Authentication
> X509v3 Subject Key Identifier:
> 4D:5D:71:84:B5:D9:7B:B1:11:52:58:BC:5E:BE:A8:0D:8C:AE:17:63
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment
> Signature Algorithm: ecdsa-with-SHA256
> Signature Value:
> 30:44:02:20:5b:ce:5e:3f:67:85:11:42:d5:5f:2a:ba:cd:12:
> f2:e7:bd:0e:f5:9e:ae:d1:65:8d:9c:d3:dc:7c:8d:63:ec:07:
> 02:20:33:3f:b6:22:39:62:ff:3b:9f:21:eb:43:e1:9e:40:31:
> 39:fb:14:a8:1f:c9:33:48:18:99:33:dd:03:86:2c:0e
>
>I am able to do this:
>
>$ openssl x509 -provider tpm2 -in handle:0x01000013 | openssl x509 -in
>/dev/stdin -noout -text
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 9177472452311271732 (0x7f5cee922ff24934)
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: CN = aaaa, OU = yyyy, O = zzzz
> Validity
> Not Before: Apr 25 16:43:35 2022 GMT
> Not After : Dec 31 12:00:00 2045 GMT
> Subject: CN = xxxx, OU = yyyy, O = zzzz
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (256 bit)
> pub:
> 04:eb:d3:da:02:5a:43:4e:5c:1a:b5:09:e7:6a:8e:
> 1e:65:9f:eb:ab:35:d5:33:f9:1f:16:bf:d8:0d:c6:
> f0:09:ae:10:60:3d:82:cf:46:29:a0:a9:24:47:dd:
> e2:5a:ea:97:b6:c1:6a:fa:b2:8a:7c:30:36:36:1a:
> 8a:e2:91:62:4b
> ASN1 OID: prime256v1
> NIST CURVE: P-256
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Authority Key Identifier:
> B0:06:08:77:FC:C0:3B:0A:F5:8E:0C:B8:F1:DE:A9:55:8B:E5:F1:79
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, Code Signing, E-mail Protection, TLS Web Server Authentication
> X509v3 Subject Key Identifier:
> 4D:5D:71:84:B5:D9:7B:B1:11:52:58:BC:5E:BE:A8:0D:8C:AE:17:63
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment
> Signature Algorithm: ecdsa-with-SHA256
> Signature Value:
> 30:44:02:20:5b:ce:5e:3f:67:85:11:42:d5:5f:2a:ba:cd:12:
> f2:e7:bd:0e:f5:9e:ae:d1:65:8d:9c:d3:dc:7c:8d:63:ec:07:
> 02:20:33:3f:b6:22:39:62:ff:3b:9f:21:eb:43:e1:9e:40:31:
> 39:fb:14:a8:1f:c9:33:48:18:99:33:dd:03:86:2c:0e
>
>Any help would be appreciated.
>Thanks.
>
>
>----------
>
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
>%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 12535 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-26 14:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-26 13:09 [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider Petr Gotthard
-- strict thread matches above, loose matches on Subject: below --
2022-04-26 14:24 Sievert, James
2022-04-26 12:57 Sievert, James
2022-04-26 12:20 Petr Gotthard
2022-04-26 12:06 Sievert, James
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.