Hello y'all,
I'm trying to import my PKCS11 configuration from the old, fully deprecated project tpm2-pk11. In this setup, the tpm2 holds persistent RSA keys and associate them with adequately named certificates located on the file system. I understand that this should have been done a lot earlier (but then, even a lot earlier would not have change much as the development and even the first distributed products predated the very first commit of tpm2-pkcs11) ; unfortunately days are limited and my todo list is way too long.
Keys were generated using tpm2_create a long, long time ago.
Since this is a really old setup, I no longer have the key.pub and key.priv files available (they were trashed, as they are no longer useful). I can get the public key through tpm2_readpublic but that won't help me much.
Now, the "Interoperability with Existing TPM2 Objects" document proposes a way to init tpm2-pkcs11 using keys that were created with tpm2_create. Unfortunatly, it seems it also requires two things I cannot provide it:
* pincodes, for /tpm2_ptool addtoken/ (this is an embedded platform; no pin codes; if I'm forced to add them they'll end up as environment vars anyway so there is no real interest for pincode in this situation)
* the key files, for /tpm2_ptool link/ (key.pub and key.priv are no longer available)
Is there any other way to import my configuration into tpm2-pkcs11 ? Not being able to do it means that some of our oldest customers will have a bricked hardware (one of the current token is used to identify the hardware and is set during production, so not being able to reload it essentially means that this hardware will not be able to identify itself to our services and will not work at all), and this is a hard sell...