search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
150 stars 100 forks source link

Automatic detection of keyform (PEM / TSS2) #264

Closed xlandrexl closed 1 year ago

xlandrexl commented 1 year ago

Hello,

Is there any configuration possible to set the default keyform, or to automatically detect it?

The current situation is the following. With a normal private key file, the following command works through the TPM.

openssl dgst -sha256 -sign private_key.pem -out data.sig data

However, if I use a tpm blob generated by tpm2tss-keygen, it doesn't work correctly (wrong key form, expecting private key).

openssl dgst -sha256 -sign tpmkey -out data.sig data

To make it work, I have to specify the keyform (engine), e.g.

openssl dgst -engine tpm2tss -keyform engine -sha256 -sign tpmkey -out data.sig data

My openssl.cnf configuration file has the following contents in the engine part. 

[tpm2tss_section]
engine_id = tpm2tss
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libtpm2tss.so
default_algorithms = ALL
init = 1

This leads to integration issues with other applications, when using tpm blobs. Does anyone have a good solution for this? Or if that would be an interesting patch?

Thanks in advance.

xlandrexl commented 1 year ago

I see that the issue is that the engine does not automatically detect the type of key: a usual PEM key, or a blob generated by tpm2tss-genkey.

AndreasFuchsTPM commented 1 year ago

The problem is that openssl does not autoload the engine if it detects a tpm key.

In your code, you can have a look at the first line. If it is a tpm2-tss-engine key it will read

-----BEGIN TSS2 PRIVATE KEY-----

If it is a regular key, it will read

-----BEGIN PRIVATE KEY-----

Hope this helps