Open pnwamk opened 7 years ago
Hi @pnwamk Thank you for raising this issue! We will look into this feature request As an open source project, you are welcome to contribute your code, as long as you have signed the CLA and follow our coding standards. You could find more information in the readme file
ARM Internal Ref: IOTSSL-1540
I'm happy to sign the CLA. I'm not sure how close my code is to a desirable solution.
Side note: My work with mbedtls came about during an internship at MSR Cambridge. If I was there full time and continuing to work on projects that used it I'd be more than happy to further flesh out a solution -- but I'm headed back to PhD student life and my work there doesn't relate at all (I won't even have access to the code that used it), so I likely won't spend any more time on this (sorry!).
Anyway, just wanted to make public my findings and (probably extremely hacky) solution.
Cheers!
Any updated on this issue?
The certificates contained in TPMs (at least v1.2) are (I believe) a little non-standard and use the RSAES-OAEP encryption scheme.
Here's an example of one: https://github.com/pnwamk/mbedtls/blob/rsaes-oaep/example_tpm_cert.der
Currently mbedtls cannot parse these certificates at all (it simply results in an error), which is unfortunate. After a bit of exploring and hacking, I tweaked mbedtls so it could parse the certificate well enough for my needs: https://github.com/pnwamk/mbedtls/commit/f6ebdf943264f7cf11d0052ff1fcfee12cfcb357 (I'm not confident this is entirely correct, but it was enough to help my little project along)
Openssl, interestingly, is able to mostly parse these certificates (upon inspection it is clear the nonstandard portions were an issue for openssl as well, but you at least get usable results back, instead of just an error---see the included output below).
It would be nice if mbedtls could handle these kinds of certs to some degree as well (at least be able to parse them and let users inspect/utilise their well-formed components, etc).