search

tpm2-software / tpm2-openssl

OpenSSL Provider for TPM2 integration
BSD 3-Clause "New" or "Revised" License
88 stars 37 forks source link

sbsign doesn't work with old key and openssl3 provider #79

Open alxchk opened 1 year ago

alxchk commented 1 year ago

Old - openssl 1.1.1 + tpm2tss engine

# /usr/bin/sbsign --key /etc/secureboot/tpm/secureboot.key --cert /etc/secureboot/tpm/secureboot.crt --output test vmlinuz-6.3.2 
Can't load key from file '/etc/secureboot/tpm/secureboot.key'

New - openssl 3.0.9 + tpm2 provider, enabled in openssl.cnf

# /usr/bin/sbsign --key /etc/secureboot/tpm/secureboot.key --cert /etc/secureboot/tpm/secureboot.crt --output test vmlinuz-6.3.2 
error in key/certificate chain
40C77854147F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../openssl-3.0.9/crypto/x509/x_pubkey.c:458:
40C77854147F0000:error:0580006C:x509 certificate routines:X509_check_private_key:unable to get certs public key:../openssl-3.0.9/crypto/x509/x509_cmp.c:399:
40C77854147F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.9/crypto/pkcs7/pk7_smime.c:125:
gotthardp commented 1 year ago

Well, the sbsign may be missing some OpenSSL 3.x support. This is not necessarily our fault.

mittwerk commented 8 months ago

Yeah, I have the same issue and wrote it here