gordonwang0
commented
6 years ago Hi @totszwai,
The current Embedded C SDK does not use TPM; it uses the mbedtls_pk_parse_keyfile API to load the private key from a file on disk. We then call mbedtls_ssl_conf_own_cert to attach the client certificate and aforementioned private key to the TLS client configuration. Both certificate and private key are required.
As an alternative, mbedTLS supports the PKCS#11 crypto interface by way of a separate open-source library. See also the API functions mbedtls_pkcs11_init, mbedtls_pkcs11_x509_cert_bind, and mbedtls_pkcs11_priv_key_bind. The latter functions allow you to create the certificate and private key context handles that can be passed to mbedtls_ssl_conf_own_cert (i.e., as an alternative to loading those files from disk).
The final piece of the puzzle is a PKCS#11 implementation for TPM. The following links may be helpful.
I only see variables for setting the cert and the pkey, but I don't see anything to deal with the context related to the TPM? Can I set the certificate parameter without providing the private key? Or is there a way to use something else other than mbedtls?