I am relatively newbie to these technologies and I am a bit lost about what to do with the error message I currently face.
To put things right, I have an embedded system running Linux 5.10 on which I try to communicate with the TPM2.0 chip (Infineon SLM9670). I have at disposal every tpm2 high-level libraries and it is working quite well (tpm2-tss, tpm2-abrmd, tmp2-tools, tpm2-openssl, tpm2-pkcs11).
The thing is, I now try to use OpenSSL 3.2.2 to sign a file with the rsa key I generated on the slot 1 of my PKCS11 implementation on the TPM2.0.
Here is the slot on which I generated my key:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so -L
Available slots:
Slot 0 (0x1): test token
token label : test token
token manufacturer : Infineon
token model : SLM9670
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.38
firmware version : 13.11
serial num : 0000000000000000
pin min/max : 0/128
Slot 1 (0x2):
token state: uninitialized
And the key itself:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so --slot=1 --login --pin=testuserpin --list-objects
Public Key Object; RSA 2048 bits
label: rsakey
Usage: encrypt, verify
Access: local
Private Key Object; RSA
label: rsakey
Usage: decrypt, sign
Access: sensitive, always sensitive, never extractable, local
Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA1-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
Now, I am trying to sign a certificate using OpenSSL and the private key from the PKCS11 implementation on the TPM using the following command:
When I enter the command, it is said that openssl cannot find any private key to use:
Could not open file or uri for loading private key from pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin
0023F1B6:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:263:calling stat(pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin)
0023F1B6:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:360:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
pkeyutl: Error initializing context
(this is copypasta from a stackoverflow subject I opened a few days ago: https://stackoverflow.com/questions/78710686/how-to-sign-a-file-with-tpm2-pkcs11-and-openssl)
I am relatively newbie to these technologies and I am a bit lost about what to do with the error message I currently face.
To put things right, I have an embedded system running Linux 5.10 on which I try to communicate with the TPM2.0 chip (Infineon SLM9670). I have at disposal every tpm2 high-level libraries and it is working quite well (tpm2-tss, tpm2-abrmd, tmp2-tools, tpm2-openssl, tpm2-pkcs11).
The thing is, I now try to use OpenSSL 3.2.2 to sign a file with the rsa key I generated on the slot 1 of my PKCS11 implementation on the TPM2.0.
Here is the slot on which I generated my key:
And the key itself:
Now, I am trying to sign a certificate using OpenSSL and the private key from the PKCS11 implementation on the TPM using the following command:
The tpm2-pkcs11.openssl.conf looks like this:
When I enter the command, it is said that openssl cannot find any private key to use: