Topic: Verify cert using keyblob read from tpm nvram

Hello.
I'm new to wolfssl and quite confused. I read private key (to KEYBLOB structure) from tpm nvram. I need to verify that this is the same key as one I have in another cert (i.e.: want to verify it).

How can I do this?
From documentation, I see (like in this post https://www.wolfssl.com/forums/topic140 … -pair.html ) that I can do it, but with key as pem not keyblob.

now what is the right way to do from keyblob?

Share

Re: Verify cert using keyblob read from tpm nvram

Hello celov65111

Welcome and thanks for joining the wolfSSL Forums. I moved this topic to the wolfTPM section, under the assumption that you are using wolfTPM to access the TPM device. Please correct me if I am mistaken.

Here is an example of reading a key from nvram:
https://github.com/wolfSSL/wolfTPM/blob … ram/read.c

Let us know if there are any questions.

Kind regards,
Eric @ wolfSSL Support

Re: Verify cert using keyblob read from tpm nvram

embhorn wrote:

Hello celov65111

Welcome and thanks for joining the wolfSSL Forums. I moved this topic to the wolfTPM section, under the assumption that you are using wolfTPM to access the TPM device. Please correct me if I am mistaken.

Here is an example of reading a key from nvram:
https://github.com/wolfSSL/wolfTPM/blob … ram/read.c

Let us know if there are any questions.

Kind regards,
Eric @ wolfSSL Support

Yes I read from nvram, and my code is using this example
my problem comes after that
I read public and private keys from tpm nvram, which is done well
Now, I 've .crt certificate which I want to verify (i.e.: verify this cert using the private key I read from nvram and check both private keys are same)

Question is: how can I do this? what I get from nvram reading is (Keyblob) structure, where none of the functions in the doc accepts keyblob. So, how can I use what I read from nvram to verify a .crt I have?

another question is, what is the format comes out /goes in to the nvram? is the keyblob pem format? ..etc

These are mainly my questions

Share

Re: Verify cert using keyblob read from tpm nvram

Hi celov65111,

A certificate contains a public key which is signed by another key who is trusted. To verify a certificate you only need the public key for the signer. Typically the AKID (Authority Key Identifier) is used to identify the signer key. It is a hash of the signers public key.

If a TPM private key was used to sign you only need to have the public key to verify a certificate, since a verify is a pubic only operation.

You can export a TPM RSA public key using `wolfTPM2_RsaKey_TpmToPemPub`. Or you could export a RSA public key DER/ASN.1 using `wolfTPM2_RsaKey_TpmToWolf` and `wc_RsaKeyToPublicDer_ex. For ECC public key you can use `wolfTPM2_EccKey_TpmToWolf` and `wc_EccPublicKeyToDer`.

For validating a certificate you could leverage our wolfSSL Certificate Manager to do a certificate validation. See example here:
https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

If you are looking for a more direct approach you could just do:
1) Hash the certificate (minus trailing signature)
2) Use wc_ecc_verify_hash or wc_RsaSSL_VerifyInline with the public key and hash to verify signature.

For reference a KEYBLOB is key material from the TPM in a TPM format. The private key is encrypted and not usable except when loaded to the TPM. The public portion of a key blob is exportable and can be used for wolfCrypt operations using the above conversion API's.

If you have more questions if would be helpful to know more about your project. Feel free to email us directly support at wolfssl.com and reference this ticket.

Thanks,
David Garske, wolfSSL

Share

Re: Verify cert using keyblob read from tpm nvram

dgarske wrote:

Hi celov65111,

A certificate contains a public key which is signed by another key who is trusted. To verify a certificate you only need the public key for the signer. Typically the AKID (Authority Key Identifier) is used to identify the signer key. It is a hash of the signers public key.

If a TPM private key was used to sign you only need to have the public key to verify a certificate, since a verify is a pubic only operation.

You can export a TPM RSA public key using `wolfTPM2_RsaKey_TpmToPemPub`. Or you could export a RSA public key DER/ASN.1 using `wolfTPM2_RsaKey_TpmToWolf` and `wc_RsaKeyToPublicDer_ex. For ECC public key you can use `wolfTPM2_EccKey_TpmToWolf` and `wc_EccPublicKeyToDer`.

For validating a certificate you could leverage our wolfSSL Certificate Manager to do a certificate validation. See example here:
https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

If you are looking for a more direct approach you could just do:
1) Hash the certificate (minus trailing signature)
2) Use wc_ecc_verify_hash or wc_RsaSSL_VerifyInline with the public key and hash to verify signature.

For reference a KEYBLOB is key material from the TPM in a TPM format. The private key is encrypted and not usable except when loaded to the TPM. The public portion of a key blob is exportable and can be used for wolfCrypt operations using the above conversion API's.

If you have more questions if would be helpful to know more about your project. Feel free to email us directly support at wolfssl.com and reference this ticket.

Thanks,
David Garske, wolfSSL

I'm quite confused because there are many structures. I will explain u what I have, and I hope u guide me to the best way I can go with
Basically, what I have is
1- KeyBlob I get from the TPM (private and public, using the nvram read example)
2- I have .crt file

what I need is to verify (by verify I mean making sure that keys I read from this .crt are same as keys I read from TPM, I think this is comparing public keys or private keys)

Now what steps should I do as I got lost in the docs and cannot find a proper way to do it.
Thanks in advance.

Share

Re: Verify cert using keyblob read from tpm nvram

In another words, how can I check the public (or private) key in .crt file is the same one I read from TPM nvram ?

Share

Re: Verify cert using keyblob read from tpm nvram

Hi celov65111,

An X.509 certificate only contains a public key.

To compare the public key of the certificate to the TPM:
1) Read the public key from the TPM using something like `wolfTPM2_ReadPublicKey`
2) Export a RSA public key DER/ASN.1 using `wolfTPM2_RsaKey_TpmToWolf` and `wc_RsaKeyToPublicDer_ex. For ECC public key you can use `wolfTPM2_EccKey_TpmToWolf` and `wc_EccPublicKeyToDer`.
3) Extract the public key from the X.509 certificate.

#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/wolfcrypt/asn.h"

int ret;
DecodedCert cert;

InitDecodedCert(&cert, certBuffer, certLen, NULL);
ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
if (ret == 0) {
    printf("Public Key %d\n", cert.pubKeySize);
    WOLFSSL_BUFFER(cert.publicKey, cert.pubKeySize);
    
}
FreeDecodedCert(&cert);

Also make sure you verify the signature of the certificate. You can pass `VERIFY` instead of `NO_VERIFY` on ParseCert. The 4th argument lets you pass in a Certificate Manager pointer for validating the signature against a trusted certificate. We have an example for that here: https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

Thanks,
David Garske, wolfSSL

Share