search

tpm2-software / tpm2-openssl

OpenSSL Provider for TPM2 integration
BSD 3-Clause "New" or "Revised" License
88 stars 37 forks source link

Cannot export externally created private key and then import it again #101

Open Tyrrx opened 10 months ago

Tyrrx commented 10 months ago

Hi, I am trying to import the externally create private key of a certificate into the TPM, then export it as TSS2 and re import it again but this does not work.

What I did first, was importing the external key using the tpm-tools:

parent=0x81000000
idevid=0x81000001

tpm2_createprimary -c tpm/primary.ctx 
tpm2_evictcontrol -c tpm/primary.ctx $parent

tpm2_import -C tpm/primary.ctx -G ecc -i idevid/idevid.key.pem -u tpm/idevid.pub -r tpm/idevid.priv --passin pass:mypw
tpm2_load -C $parent -u tpm/idevid.pub -r tpm/idevid.priv -c tpm/idevid.ctx
tpm2_evictcontrol -c tpm/idevid.ctx -o tpm/idevid.hdl $idevid

I was able to use the private key to e.g. create a mTLS session using the uri object:tpm/idevid.hdl with the OSSL provider API.

Then I tried to export the private key via an encoder which gave me a TSS2 private key file that looked fine at the first view. But when I tried to load the private key from the previously exported TSS2, I got the following error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001d5)

After that I tried not to persist the imported key by using:

tpm2_createprimary -c tpm/primary.ctx 

tpm2_import -C tpm/primary.ctx -G ecc -i idevid/idevid.key.pem -u tpm/idevid.pub -r tpm/idevid.priv --passin pass:mypw
tpm2_encodeobject -C tpm/primary.ctx  -u tpm/idevid.pub -r tpm/idevid.priv -o tpm/idevid.tss

And then use the TSS2 file create by the tpm-tools but then I get the error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df)

Also running:

tpm2_loadexternal -r tpm/idevid.tss -c tpm/idevid.ctx
tpm2_evictcontrol -c tpm/idevid.ctx -o tpm/idevid.hdl $idevid

Gave me the error:

WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x00000282) 
ERROR: Esys_EvictControl(0x282) - tpm:handle(2):inconsistent attributes
ERROR: Unable to run tpm2_evictcontrol

So my question: What am I doing wrong here or is this even possible?

Another thing that confuses me: When I created a new key using the TPM provider everything just worked. I was able to export it as TSS2 and import it again without any issues.

gotthardp commented 10 months ago

Hello. Please provide enough information so I can reproduce this issue.

Tyrrx commented 10 months ago

@gotthardp I'm typing.. :D I accidentally posted too early

Tyrrx commented 10 months ago

@gotthardp Now I added the description. Sorry for that.

Danigaralfo commented 1 month ago

Hello. @Tyrrx did you find any solution? Having the same issue with an Apache server here.