tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
278 stars 104 forks source link

ECDSA-SECP256R1 signature failure with openssl #579

Open kaushendra opened 4 years ago

kaushendra commented 4 years ago

Hi,

I'm getting issue while using EC/ECDSA certificate generation with TPM-PKCS11 and signing with openssl

TPM generated key

    Type: Private key (EC/ECDSA-SECP256R1)

Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 33:64:33:31:31:31:38:33:66:61:30:64:65:38:66:65

RootCA generated by openssl for verifying TPM generated Device Certficate

openssl ecparam -name secp256k1 -genkey -noout -out rootCA.key

Getting Signature check failure

openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

failed:Signature did not match the certificate request

`I have checked with

`openssl ecparam -list_curves … secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field …

“secp256k1” is supported in openssl but not “secp256r1”. The later is standardized and required by tpm2-pkcs11 as it supports RSA 2048-bit keys and ECDSA P-256 keys. Is it not supported in OpenSSL 1.1.1b ? Why “secp256k1” instead of “secp256r1”?

help will be appreciated.

Regards, kaushendra sah

williamcroberts commented 4 years ago

per https://stackoverflow.com/questions/41950056/openssl1-1-0-b-is-not-support-secp256r1openssl-ecparam-list-curves is prime256v1.

williamcroberts commented 4 years ago

Bu theirs definitely some other issue here with the error failed:Signature did not match the certificate request. You can look at tests/integration/tls-tests.sh for examples on how to do CSR generation.

kaushendra commented 4 years ago

Hi @williamcroberts

I have tried with prime256v1 also please see thread i'm getting the same failed:Signature did not match the certificate request

I'f you could help me with some reference with ecc implementation on specific openssl,pksc11,opensc version it will be a great help

Thanks, kaushendra

williamcroberts commented 4 years ago

That just seems like a mismatch between the public key and private key used to sign. We have scripts that do this in full as I pointed out, and we have all of our docker containers publicly available for use, that test multiple versions. If you can share your script in full so I can run it, I can probably find the error; otherwise, I am debugging your code blind, which is hard.

kaushendra commented 4 years ago

Hi @williamcroberts

Steps i followed is provided in mentinoed link please refer key and certificate generation using PKCS on TPM2.0

In above link i have been asked to used below checkout version only cd tpm2-pkcs11/ git checkout a82d0709c97c88cc2e457ba111b6f51f21c22260

Then i'm following section in provided link to generate "Device.csr" this could generate both RSA-2048 and ECDSA-SECP256R1 type keys Using the PKCS11 Provider for AWS IoT Greengrass hardware security

Type: Private key (EC/ECDSA-SECP256R1) Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 33:64:33:31:31:31:38:33:66:61:30:64:65:38:66:65

After that i followed RootCA Certificate generation and signing with openssl ROOTCA

openssl ecparam -name prime256v1 -genkey -noout -out rootCA.key openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Now during signing Device certificate (Device.csr) with rootCA.pem --sign TPM generated device certificate with register RootCA

openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

I'm getting signature Failure

failed:Signature did not match the certificate request

Same process with RSA-2048 i'm able to do the same process sucessfully,but getting failed with ECDSA

If you could help me at this mentioned issue it would be appreciating.

Thanks, kaushendra

williamcroberts commented 4 years ago

Yeah but that write up is super old and IRC before I had proper EC support. Try off of 1.3.2 and if still doesn't work, then master. If it still doesn't work, post a Then post a script that I can run as a test case.

PeterHuewe commented 4 years ago

Hi, you can find a bit more recent version of the write up here https://github.com/Infineon/amazon-greengrass-hsi-optiga-tpm Peter

williamcroberts commented 4 years ago

@kaushendra did you ever get this working?