Problem signing certs with imported key

[hardillb]

I'm trying to add a LetsTrust TPM to a Raspberry Pi Zero I'm using as an offline Certificate Authority.

I've built and installed tpm2_tools, tpm2tss and engine-tpm2-tss from src (git head).

I've used the following to import an existing RSA key.

$ tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
$ tpm2_import -C parent.ctx -G rsa -i ca.key -u ca-pub.tpm -r ca.tpm
$ tpm2tss-genkey --public ca-pub.tpm --private ca.tpm ca-tss.key

And then try and use the ca.tss to sign a provided csr with the following:

$ openssl ca -conf openssl.conf -engine tpm2tss -key ca-tss.key -keyform engine -in csr/tpm.hardill.me.uk.csr -out certs/tpm.hardill.me.uk.crt

But I get the following error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 
3069628432:error:8007206D:tpm2-tss-engine:init_tpm_key:Unknown TPM error occured. Please check tpm2tss logs:src/tpm2-tss-engine-common.c:570:
3069628432:error:8008C06D:tpm2-tss-engine:rsa_priv_enc:Unknown TPM error occured. Please check tpm2tss logs:src/tpm2-tss-engine-rsa.c:160:
3069628432:error:8007406F:tpm2-tss-engine:esys_ctx_free:Some unknown error occured:src/tpm2-tss-engine-common.c:106:
3069628432:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:

I rebuilt with debug enabled and I've attached the log output ( TSS2_LOG=all+ERROR,marshal+TRACE,tcti+DEBUG) sign.log All keys disposable so no problem leaking anything secret

Have I misunderstood how imported keys should be used or am I missing something?

Thanks.

[hardillb]

Anybody able to have a look at this?

[AndreasFuchsTPM]

The genkey import only works with

• The default parent primary key of the engine, which is an ECC key following this template.
• If the parent key is persistent and passed in via --parent. See here https://github.com/tpm2-software/tpm2-tss-engine/blob/22a6ae81ea7162e91ca5623e227ff7fbfa66049c/test/rsasign_importtpmparent.sh#L18 https://github.com/tpm2-software/tpm2-tss-engine/blob/22a6ae81ea7162e91ca5623e227ff7fbfa66049c/test/rsasign_importtpmparent.sh#L29

[sirogeek]

I have a similar case, but not the same. I have a pair - private key/x509 certificate generated by openssl. Is there a chance to import the private key to TPM and use the pair? I tried the following commands: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout openssl.key -out openssl.crt tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx tpm2_import -C parent.ctx -G rsa -i openssl.key -u key.pub -r key.priv tpm2tss-genkey -u key.pub -r key.priv exported-encrypted.tss And when I use the key and the cetrificate I get the following errors: ERROR:esys:../tpm2-tss-3.0.3/src/tss2-esys/esys_tr.c:231:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x0000018b) ERROR:esys:../tpm2-tss-3.0.3/src/tss2-esys/esys_tr.c:321:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) Is this possible? What I am missing?

[hardillb]

@AndreasFuchsSIT Thank you for the pointer. I've got it to work now. My import script now looks like this:

#!/bin/bash

if [ ! -f primary_owner_key]l then 
    tpm2_createprimary --hierarchy=o --hash-algorithm=sha256 --key-algorithm=rsa --key-context=primiary_owner_key.ctx
fi

HANDLE=$(tpm2_evictcontrol --hierarchy=o --object-context=primiary_owner_key.ctx | cut -d ' ' -f 2 | head -n 1)

tpm2_import -C primiary_owner_key.ctx -G rsa -i ca-nopass.key -u ca-pub.tpm -r ca.tpm
tpm2tss-genkey --public ca-pub.tpm --private ca.tpm --parent $HANDLE  ca-tss.key