search

tpm2-software / tpm2-abrmd

TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
https://github.com/tpm2-software/tpm2-abrmd
BSD 2-Clause "Simplified" License
116 stars 100 forks source link

During SSL handshake, error coming as "write_all: failed to write to ostream: Error sending data: Broken pipe" #829

Open ssonnagi opened 1 year ago

ssonnagi commented 1 year ago

I am using openssl 3.0.2 TPM2-OPENSSL ibmtpm -1682 tpm2-abrmd

i have also posted same question in tpm2-tss, as i don't know where to put it exactly, as error belongs to tpm2-tss. i am trying integrate tpm2 with librdkafka, trying to use tpm2 generated private keys and certificate for mTLS of kafka on the client side. steps i followed :

  1. tpm2_createek -G rsa -c ek_rsa.ctx
  2. tpm2_createak -C ek_rsa.ctx -G rsa -g sha256 -s rsassa -c ak_rsa.ctx
  3. tpm2_evictcontrol -c ak_rsa.ctx | cut -d ' ' -f 2 | head -n 1
    • 0x81000001
  4. openssl req -provider tpm2 -new -config requestCert.conf -key handle:0x81000001 -out clientKafka.csr
  5. openssl x509 -req -days 365 -in clientKafka.csr -CA rootCA.pem -CAkey rootCA.key -CAserial rootCA.srl -out clientKafka.pem
  6. tpm2_nvdefine -C o -s 1196 -a "authwrite|ownerwrite|authread|ownerread|no_da" 2
  7. tpm2_nvwrite -C o -i /home/tss/certTest/clientKafka.pem 2
  8. tpm2_getcap handles-nv-index
    • 0x1000002

brief code of SSLHandShake.cpp

int main()
{
    OSSL_LIB_CTX *tpm2_libctx = NULL;
    tpm2_libctx = OSSL_LIB_CTX_new();

    OSSL_PROVIDER *prov = NULL;
    prov = OSSL_PROVIDER_load(tpm2_libctx, "tpm2");
    prov = OSSL_PROVIDER_load(tpm2_libctx, "default");

   X509 *TPMCert = NULL;
   EVP_PKEY *TPMpkey = NULL;

   OSSL_STORE_CTX *storeCtx = NULL;
   OSSL_STORE_open_ex("handle:0x81000001", tpm2_libctx,"?provider=tpm2","handle", NULL, NULL,NULL, NULL);
   while (!OSSL_STORE_eof(storeCtx)) {
    OSSL_STORE_INFO *info = OSSL_STORE_load(storeCtx);
    switch (OSSL_STORE_INFO_get_type(info)) {
    case OSSL_STORE_INFO_PKEY:
         TPMpkey = OSSL_STORE_INFO_get1_PKEY(info);
        break;
    }
    }
    OSSL_STORE_close(storeCtx);

    storeCtx = OSSL_STORE_open_ex("handle:0x1000002", tpm2_libctx,"?provider=tpm2","handle", NULL, NULL,NULL, NULL);
    while (!OSSL_STORE_eof(storeCtx)) {
        OSSL_STORE_INFO *info = OSSL_STORE_load(storeCtx);
        switch (OSSL_STORE_INFO_get_type(info)) {
            case OSSL_STORE_INFO_CERT:
            {
                TPMCert = OSSL_STORE_INFO_get1_CERT(info);
                break;
            }
        }
    }
    OSSL_STORE_close(storeCtx);

    SSL_CTX *ctx = NULL;
    ctx = SSL_CTX_new_ex(tpm2_libctx, NULL, TLS_client_method());

    r = int SSL_CTX_load_verify_file(ctx, "rootCA.pem");

    r = SSL_CTX_use_certificate(ctx, TPMCert);

    r = SSL_CTX_use_PrivateKey(ctx, TPMpkey);

    r = SSL_CTX_check_private_key(ctx);

    r = SSL_do_handshake(trans_ssl);
}

While running the above compiled code, gets the error "write_all: failed to write to ostream: Error sending data: Broken pipe" on abrmd and "tpm2::cannot sign: 722 tpm:parameter(2):unsupported or incompatible scheme" on tpm2

Am i following correct steps? is anything wrong? please help me to overcome this error.