Closed xlandrexl closed 1 year ago
I see that the issue is that the engine does not automatically detect the type of key: a usual PEM key, or a blob generated by tpm2tss-genkey.
The problem is that openssl does not autoload the engine if it detects a tpm key.
In your code, you can have a look at the first line. If it is a tpm2-tss-engine key it will read
-----BEGIN TSS2 PRIVATE KEY-----
If it is a regular key, it will read
-----BEGIN PRIVATE KEY-----
Hope this helps
Hello,
Is there any configuration possible to set the default keyform, or to automatically detect it?
The current situation is the following. With a normal private key file, the following command works through the TPM.
openssl dgst -sha256 -sign private_key.pem -out data.sig data
However, if I use a tpm blob generated by tpm2tss-keygen, it doesn't work correctly (wrong key form, expecting private key).
openssl dgst -sha256 -sign tpmkey -out data.sig data
To make it work, I have to specify the keyform (engine), e.g.
openssl dgst -engine tpm2tss -keyform engine -sha256 -sign tpmkey -out data.sig data
My openssl.cnf configuration file has the following contents in the engine part.
This leads to integration issues with other applications, when using tpm blobs. Does anyone have a good solution for this? Or if that would be an interesting patch?
Thanks in advance.