search

tpm2-software / tpm2-tss

OSS implementation of the TCG TPM2 Software Stack (TSS2)
https://tpm2-software.github.io
BSD 2-Clause "Simplified" License
755 stars 366 forks source link

Create private key in TPM and use it without password prompt #2901

Open raihav opened 2 months ago

raihav commented 2 months ago

Expected Behavior I want to start openssl server with tpm2tss engine that uses a private key stored in TPM without prompt for password. Hint: The prompt should have been supressed by: Enable emptyAuth detection for noda persistent keys #55 Please can you tell me how I shall create a key to avoid password prompt by tpm2tss engine?

Test I have created the key with NODA and stored in TPM with handle 0x81010101 tpm2_create -C primary.ctx -G rsa -u key.pub -r key.priv -a "decrypt|sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"

With tpm2tss engine, the server starts and asks for password. openssl s_server -cert secrets/localhost.crt -key 0x81010101 -keyform engine -engine tpm2tss -accept 4443

For comparison with tpm2 provider, the server starts without prompt. openssl s_server -provider tpm2 -provider default -propquery ?provider=tpm2 -accept 4443 -www -key handle:0x81010101 -cert secrets/localhost.crt

Context gRPC supports OpenSSL engine only and the password prompt is not implemented in gRPC code.

AndreasFuchsTPM commented 3 days ago

According to

https://github.com/tpm2-software/tpm2-tss-engine/blob/3d010240b5afbabbf54c35d6c0f6e92ed0a0c0ea/src/tpm2-tss-engine-common.c#L250-L258

this should also be handled correctly for the tpm2-tss-engine.

No idea why this is not working for you here.

Could you call tpm2_readpublic on the persistent key handle just to double check ?