search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
151 stars 100 forks source link

ECDSA Crpto operation with Openssl and TPM2-TSS #178

Closed Darsh-Dev closed 4 years ago

Darsh-Dev commented 4 years ago

Hi,

I would like to perform elliptic curve [ECDSA] crypt operations with OpenSSL and TPM2-TSS as mentioned in readme

RSA operation (RSA decrypt and RSA sign) are working fine.

Issue1 Facing in ECDSA operations:

Step 1: tpm2tss-genkey -a ecdsa mykey step 2: echo "12345678" > mydata step 3: openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig

error:

engine "tpm2tss" set. Public Key operation error 3069190160:error:8007806B:tpm2-tss-engine:ecdsa_sign:Unknown padding scheme requested:src/tpm2-tss-engine-ecc.c:208: 3069190160:error:8007406F:tpm2-tss-engine:esys_auxctx_free:Some unknown error occured:src/tpm2-tss-engine-common.c:110:

Issue2 Facing issue while ECDH secret digest generation

with openssl and TPM2-TSS reference

step 1:tpm2tss-genkey -a ecdsa alice_key step 2: tpm2tss-genkey -a ecdsa bob_key step 3:openssl ec -engine tpm2tss -inform engine -in alice_key -pubout -outform pem -out alice_key.pub step 4:openssl ec -engine tpm2tss -inform engine -in bob_key -pubout -outform pem -out bob_key.pub step 5:openssl pkeyutl -engine tpm2tss -keyform engine -derive -inkey alice_key -peerkey bob_key.pub -out mykey_secret.bin

error:

root@stm32mp1-av96:~/demo# openssl pkeyutl -engine tpm2tss -keyform engine -derive -inkey alice_key -peerkey bob_key.pub -out mykey_secret.bin engine "tpm2tss" set. Key derivation failed 3069440016:error:1010109A:elliptic curve routines:ecdh_simple_compute_key:no private value:../openssl-1.1.1b/crypto/ec/ecdh_ossl.c:61:

Above errors are specific to pkeyutl or any other dependency?

Packages Version
openssl OpenSSL 1.1.1b
tpm2-abrmd 2.1.1-r0
tpm2-pkcs11 0.9.9-r0
tpm2-tools 3.1.3-r0
tpm2-tss 2.2.1-r0
tpm2-tss-engine 0.9.9-r0

I tried to upgrade tpm2-tss-engine to latest version tpm2-tss-engine :1.1.0-r0 ,but it may lead to other dependent version upgrade error.

Any help will be appreciated.

AndreasFuchsTPM commented 4 years ago

Issue1: you must provide a valid hash length input. I.e. you need to provide 20 or 32 bytes as input. Then it should work. Or you let OpenSSL perform a hashing operation first.

Issue2: The engine currently does not support ECDH. I don't know if TPM's ECDH scheme and OpenSSL's ECDH scheme are compatible to begin with. That would need to be investigated.

Darsh-Dev commented 4 years ago

Thanks @AndreasFuchsSIT ,

Issue1 is resolved. Regarding Issue2 , Is tpm2_tools support ECDH ? If yes, Please share the commands.

AndreasFuchsTPM commented 4 years ago

I think they are in the making here https://github.com/tpm2-software/tpm2-tools/pull/2019 If you're programming C or python you can use Esys_ECDH_KeyGen/ZGen() directly