Closed roberto497 closed 5 years ago
Is it possible to use the tpm2tss engine with pycurl?
I try run this command: curl -k --engine tpm2tss --cert client.crt --key private.key --key-type ENG --tlsv1.2 -v https://MY_URL return this output:
GET / HTTP/1.1 Host: -------------- User-Agent: curl/7.58.0 Accept: /
Could you provide the sequence for all command for me to reproduce your scenario ? All the way from key generation, cert requesting, cert response to usage in python ?
MACHINE: 1) Generate the Key tpm2tss-genkey -a ecdsa -v -s 256 private.key 2) Generate the .CSR openssl req -out client.csr -new -newkey rsa:2048 -engine tpm2tss -keyform engine -key private.key -subj "/C=BR/ST=SP/L=Sao Paulo/O=Grupo Tecnowise/CN=MAQ-1542-8598545854"
SERVER: openssl x509 -req -days 1028 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
so I sent client.crt to the machine and ran the python script.
One more thing, what's your OpenSSL and python version and what OS/version are on ?
One more thing, what's your OpenSSL and python version and what OS/version are on ? OpenSSL 1.1.0g 2 Nov 2017 Python 3.6.7 Ubuntu 18.04
@AndreasFuchsSIT I tried several different ones and so far I have not been able to make a request in my server api using a key pair created in tpm, plus any suggestions?
Solved
Generate key
tpm2_createprimary -a o -g sha256 -G rsa -o po.ctx tpm2_flushcontext -t tpm2_create -C po.ctx -g sha256 -G rsa -u rsakey.pub -r rsakey tpm2_flushcontext -t tpm2_load -C po.ctx -u rsakey.pub -r rsakey -o rsakey.ctx tpm2_flushcontext -t tpm2_evictcontrol -a o -c rsakey.ctx -p 0x81010003 tpm2_flushcontext -t tpm2_readpublic -c 0x81010003 -o rsa.pem -f pem
Generate .csr openssl req -new -engine tpm2tss -keyform engine -out client.csr -key 0x81010003
Curl command curl -k --engine tpm2tss --cert client.crt --key 0x81010003 --key-type ENG --tlsv1.2 -v https://my_api
Ok, that's already good. I'll reopen the gut though, because we don't want to be restricted to persistent keys. Thanks for the effort and demonstration though.
I'll assume that the reason is the equivalent of -keyform engine
from the commandline tool. Don't know if --key-type ENG
actaully does thios 1to1.
Apparently this issue is a duplicate of #93 and https://github.com/tpm2-software/tpm2-tss-engine/issues/93#issuecomment-473865216 fixes this issue here as well.
I generated the private achev using the genkey, then generated the .csr, sent to my server and generated the .pem using the CA, I am trying to make a request using Python and it is returning the following error:
` import requests
cert_file_path = "client.crt" key_file_path = "private.key"
url = "https://IP_SERVER" cert = (cert_file_path, key_file_path) r = requests.get (url, cert = cert, verify = False)
print (r.status_code) ` Error:
requests.exceptions.SSLError: HTTPSConnectionPool (host = '189.36.10.80', port = 20443): Max retries exceeded with url: / (Caused by SSLError (SSLError (336265225, '[SSL] PEM lib (_ssl.c: 3507) (I.e.
Can anyone help me with this