In another words, how can I check the public (or private) key in .crt file is the same one I read from TPM nvram ?

dgarske wrote:

Hi celov65111,

A certificate contains a public key which is signed by another key who is trusted. To verify a certificate you only need the public key for the signer. Typically the AKID (Authority Key Identifier) is used to identify the signer key. It is a hash of the signers public key.

If a TPM private key was used to sign you only need to have the public key to verify a certificate, since a verify is a pubic only operation.

You can export a TPM RSA public key using `wolfTPM2_RsaKey_TpmToPemPub`. Or you could export a RSA public key DER/ASN.1 using `wolfTPM2_RsaKey_TpmToWolf` and `wc_RsaKeyToPublicDer_ex. For ECC public key you can use `wolfTPM2_EccKey_TpmToWolf` and `wc_EccPublicKeyToDer`.

For validating a certificate you could leverage our wolfSSL Certificate Manager to do a certificate validation. See example here:
https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

If you are looking for a more direct approach you could just do:
1) Hash the certificate (minus trailing signature)
2) Use wc_ecc_verify_hash or wc_RsaSSL_VerifyInline with the public key and hash to verify signature.

For reference a KEYBLOB is key material from the TPM in a TPM format. The private key is encrypted and not usable except when loaded to the TPM. The public portion of a key blob is exportable and can be used for wolfCrypt operations using the above conversion API's.

If you have more questions if would be helpful to know more about your project. Feel free to email us directly support at wolfssl.com and reference this ticket.

Thanks,
David Garske, wolfSSL

I'm quite confused because there are many structures. I will explain u what I have, and I hope u guide me to the best way I can go with
Basically, what I have is
1- KeyBlob I get from the TPM (private and public, using the nvram read example)
2- I have .crt file

what I need is to verify (by verify I mean making sure that keys I read from this .crt are same as keys I read from TPM, I think this is comparing public keys or private keys)

Now what steps should I do as I got lost in the docs and cannot find a proper way to do it.
Thanks in advance.

embhorn wrote:

Hello celov65111

Welcome and thanks for joining the wolfSSL Forums. I moved this topic to the wolfTPM section, under the assumption that you are using wolfTPM to access the TPM device. Please correct me if I am mistaken.

Here is an example of reading a key from nvram:
https://github.com/wolfSSL/wolfTPM/blob … ram/read.c

Let us know if there are any questions.

Kind regards,
Eric @ wolfSSL Support

Yes I read from nvram, and my code is using this example
my problem comes after that
I read public and private keys from tpm nvram, which is done well
Now, I 've .crt certificate which I want to verify (i.e.: verify this cert using the private key I read from nvram and check both private keys are same)

Question is: how can I do this? what I get from nvram reading is (Keyblob) structure, where none of the functions in the doc accepts keyblob. So, how can I use what I read from nvram to verify a .crt I have?

another question is, what is the format comes out /goes in to the nvram? is the keyblob pem format? ..etc

These are mainly my questions

Hello.
I'm new to wolfssl and quite confused. I read private key (to KEYBLOB structure) from tpm nvram. I need to verify that this is the same key as one I have in another cert (i.e.: want to verify it).

How can I do this?
From documentation, I see (like in this post https://www.wolfssl.com/forums/topic140 … -pair.html ) that I can do it, but with key as pem not keyblob.

now what is the right way to do from keyblob?