Closed gotthardp closed 2 years ago
The TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
0x1c00002: name: 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7 hash algorithm: friendly: sha256 value: 0xB attributes: friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate value: 0x1200762 size: 1177 0x1c0000a: name: 000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041 hash algorithm: friendly: sha256 value: 0xB attributes: friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate value: 0x1200762 size: 781
I cannot retrieve them using openssl x509:
$ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095) Could not read certificate from handle:0x1c0000a 405C04A14E7F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size Unable to load certificate $ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002 WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095) Could not read certificate from handle:0x1c00002 40DC7060527F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size Unable to load certificate
This does work; however:
$ tpm2_nvread -C p -s 781 0x1c0000a |openssl x509 -in /dev/stdin -inform der -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 756297432 (0x2d142ed8) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029 Validity Not Before: Sep 29 02:49:58 2021 GMT Not After : Sep 29 02:49:58 2036 GMT ...
Addressed by 3faa76dcd90c535f7ee283aff43538d9e4eb64a5 and 706e666eb0b17d16c2eb8a9217cdfcd03580a123.
It is confirmed now that the commits do fix this issue.
The TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:
I cannot retrieve them using openssl x509:
This does work; however: