search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

CMPv2: Accessing private key from TPM hardware #215

Closed bairathivivek closed 3 years ago

bairathivivek commented 4 years ago

Hi,

What command/option/field can be used in cmpossl, so that it can read the private key from TPM hardware? If possible please give an example.

Thanks & Regards, Vivek

mpeylo commented 4 years ago

Hi,

https://github.com/tpm2-software/tpm2-tss-engine

I cannot recall whether I ever used that particular TPM Engine for the CMP extension to OpenSSL, while I have generally used it with OpenSSL. I have extensively used libp11-based PKCS#11 engine to use PKI smart cards with CMP, so you can expect that engines generally work.

Note this: https://github.com/tpm2-software/tpm2-tss-engine/issues/186

BR,, Martin

bairathivivek commented 3 years ago

Hi Martin,

Thanks for the reply.

Yes, am using tpm2-tss-engine for accessing TPM via openssl but have few doubts. Just needed a confirmation that following usage of TPM key generation and usage of those keys in cmp.cnf is correct?

TPM and openssl cmp Commands: tpm2_getpubek -H 0x81010001 -g rsa -f vendor_ek_rsa.pub tpm2_getpubak -E 0x81010001 -g rsa -D sha256 -s rsassa -k 0x81010002 -P 123456 -f vendor_ak_rsa2.pub -n vendor_ak_rsa2.name tpm2_getpubek -H 0x81010003 -g rsa -f mv1_ek_rsa.pub tpm2_getpubak -E 0x81010003 -g rsa -D sha256 -s rsassa -k 0x81010004 -P 123456 -f mv1_ak_rsa2.pub -n mv1_ak_rsa2.name tpm2_getpubek -H 0x81010005 -g rsa -f mv2_ek_rsa.pub tpm2_getpubak -E 0x81010005 -g rsa -D sha256 -s rsassa -k 0x81010006 -P 123456 -f mv2_ak_rsa2.pub -n mv2_ak_rsa2.name

openssl cmp -engine tpm2tss -config cmp.cnf -section ir openssl cmp -engine tpm2tss -config cmp.cnf -section kur

cmp.cnf:

default cmp request

[default]

server info

server = 10.1.26.116:449

server path

path = cmp

client trusted operatorroot ca certificate

trusted = cmpca.pem

CMS/CA CN name

recipient = "/C=IN/O=mv/OU=qa/CN=cmpca"

client subject name

subject = "/C=IN/O=mv/OU=qa/CN=vivek"

client new certifcate

certout = client.crt

CMS/intermediate operator CA certificate

cacertsout = OperatorCA.pem

cmd = ir

unprotectederrors = 1

cmp section

[cmp]

ir request

[ir]

cmd = ir

vendor certificate

cert = MvEnodeRootCert.pem

vendor key

key = engine:0x81010002 keypass = pass:123456

client new key

newkey = engine:0x81010004 newkeypass = pass:123456

client new certificate

certout = $default::certout

KUR request

[kur]

cmd = kur

client old certifcate

cert = $default::certout

client old key

key = engine:0x81010004 keypass = pass:123456

client new key

newkey = engine:0x81010006 newkeypass = pass:123456

client new certificate

certout = client_newcert.pem

Thanks & Regards, Vivek