williamcroberts
commented
4 years ago Open kaushendra opened 4 years ago
williamcroberts
commented
4 years ago williamcroberts
commented
4 years ago Bu theirs definitely some other issue here with the error failed:Signature did not match the certificate request. You can look at tests/integration/tls-tests.sh for examples on how to do CSR generation.
kaushendra
commented
4 years ago Hi @williamcroberts
I have tried with prime256v1 also please see thread
i'm getting the same failed:Signature did not match the certificate request
I'f you could help me with some reference with ecc implementation on specific openssl,pksc11,opensc version it will be a great help
Thanks, kaushendra
williamcroberts
commented
4 years ago That just seems like a mismatch between the public key and private key used to sign. We have scripts that do this in full as I pointed out, and we have all of our docker containers publicly available for use, that test multiple versions. If you can share your script in full so I can run it, I can probably find the error; otherwise, I am debugging your code blind, which is hard.
kaushendra
commented
4 years ago Hi @williamcroberts
Steps i followed is provided in mentinoed link please refer key and certificate generation using PKCS on TPM2.0
In above link i have been asked to used below checkout version only
cd tpm2-pkcs11/ git checkout a82d0709c97c88cc2e457ba111b6f51f21c22260
Then i'm following section in provided link to generate "Device.csr" this could generate both RSA-2048 and ECDSA-SECP256R1 type keys
Using the PKCS11 Provider for AWS IoT Greengrass hardware security
Type: Private key (EC/ECDSA-SECP256R1) Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 33:64:33:31:31:31:38:33:66:61:30:64:65:38:66:65
After that i followed RootCA Certificate generation and signing with openssl ROOTCA
openssl ecparam -name prime256v1 -genkey -noout -out rootCA.key openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Now during signing Device certificate (Device.csr) with rootCA.pem --sign TPM generated device certificate with register RootCA
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256
I'm getting signature Failure
failed:Signature did not match the certificate request
Same process with RSA-2048 i'm able to do the same process sucessfully,but getting failed with ECDSA
If you could help me at this mentioned issue it would be appreciating.
Thanks, kaushendra
williamcroberts
commented
4 years ago Yeah but that write up is super old and IRC before I had proper EC support. Try off of 1.3.2 and if still doesn't work, then master. If it still doesn't work, post a Then post a script that I can run as a test case.
PeterHuewe
commented
4 years ago Hi, you can find a bit more recent version of the write up here https://github.com/Infineon/amazon-greengrass-hsi-optiga-tpm Peter
williamcroberts
commented
4 years ago @kaushendra did you ever get this working?
Hi,
I'm getting issue while using EC/ECDSA certificate generation with TPM-PKCS11 and signing with openssl
TPM generated keyRootCA generated by openssl for verifying TPM generated Device CertficateGetting Signature check failurefailed:Signature did not match the certificate request
`I have checked with
“secp256k1” is supported in openssl but not “secp256r1”. The later is standardized and required by tpm2-pkcs11 as it supports RSA 2048-bit keys and ECDSA P-256 keys. Is it not supported in OpenSSL 1.1.1b ? Why “secp256k1” instead of “secp256r1”?
help will be appreciated.
Regards, kaushendra sah