search

tpm2-software / tpm2-openssl

OpenSSL Provider for TPM2 integration
BSD 3-Clause "New" or "Revised" License
85 stars 37 forks source link

Cannot load certificate stored in NVM #35

Closed gotthardp closed 2 years ago

gotthardp commented 2 years ago

The TPM vendor has internal certificates stored at 0x1c0000a and 0x1c00002:

0x1c00002:
name: 000bec00c657a4e2724101954c2c9d51ddd45c825c3997ec0786c3afeb0f7fca3ec7
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 1177

0x1c0000a:
name: 000b2571404112c8aae1cde797c438d921093fc89b74d44564c25c296aaa26a6f041
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 781

I cannot retrieve them using openssl x509:

$ openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
Could not read certificate from handle:0x1c0000a
405C04A14E7F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
Unable to load certificate

$ openssl x509 -provider tpm2 -provider default -in handle:0x1c00002
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x00000095)
Could not read certificate from handle:0x1c00002
40DC7060527F0000:error:4000000C:tpm2::cannot load key::-1:149 tpm:handle(unk):structure is the wrong size
Unable to load certificate

This does work; however:

$ tpm2_nvread -C p -s 781 0x1c0000a |openssl x509 -in /dev/stdin -inform der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 756297432 (0x2d142ed8)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 029
Validity
Not Before: Sep 29 02:49:58 2021 GMT
Not After : Sep 29 02:49:58 2036 GMT
...
gotthardp commented 2 years ago

Addressed by 3faa76dcd90c535f7ee283aff43538d9e4eb64a5 and 706e666eb0b17d16c2eb8a9217cdfcd03580a123.

gotthardp commented 2 years ago

It is confirmed now that the commits do fix this issue.