1 (edited by tpm2user 2022-07-13 06:10:15)

Topic: Need help!

Hello,

This is my first post in this forum. The earliest post on tpm.dev went unanswered. I hope someone can help clarify here. My question is two-fold:


FIRST: I wish to have equivalent of the below function, but for TPM:

if (wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, WOLFSSL_FILETYPE_PEM)   != SSL_SUCCESS)
{
    // Turn off TLS
    return 0;
} 

Note: Here, KEY_FILE is a plain .crt text file on filesystem containing a private key. (This was used prior to TPM present on hardware).

SECOND: Regarding signing inside of TPM2 chip, I see i could use the following function:


/* [This is part of wolftpm2/tls/tls_server.c example:
* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS server auth.
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, buffer_size, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) 
{
..
}

It seems for the above function to use TPM2, we need to enable Crypto-callback and TPM2 should take care of signing using the callback. The following are the Steps I followed:

1. Generated raw file using keygen tool in wolftpm/examples (I renamed it to keyblob.bin)
2. I imported this to TPM to receive a temporary TPM2 handle (which went OK).
3. I have a public certificate (named test.crt) which contains public key (signed using CSR by Certificate Authority). so, this public certificate corresponds to the CSR generated by TPM for this private key.
4. I have enabled the crypto-dev callbacks.

So, now I have the TPM2 handle and certificate file. How can i register to the above buffer function using these for signing operations? In code I did:

readKeyblob -> get the private key
wolftpm2_load -> get the handle for the key stored by TPM
wolfSSL_CTX_use_PrivateKey_buffer -> The parameters were (ctx, keyBlob.priv.buffer, sizeof(keyBlob.priv.size)

What am I doing wrong?

Share

Re: Need help!

Hi tpm2user,

1) For wolfSSL when using a TPM private key for TLS you need to extract the public key and pass it to the `wolfSSL_CTX_use_PrivateKey_*` function. The TLS examples were all updated recently to do this. See PR https://github.com/wolfSSL/wolfTPM/pull/210
The use_PrivateKey functions support variations to allow using a file or buffer as PEM or DER.

2) The crypto callback requires registering a callback function (like wolfTPM2_CryptoDevCb) with a devId value. Then you use `wolfSSL_CTX_SetDevId` to tell the TLS layer and all internal keys to use the crypto callback.

Thanks,
David Garske, wolfSSL

Share

Re: Need help!

Thanks David.

I looked at the TLS example, there were some minor changes since the last time I saw it.

To get the basics right, I did the following:

# Generate keypair on TPM and generate ECC signed certificate for use:

sudo ./examples/keygen/keygen ecc_test_blob.raw -ecc -t
sudo ./examples/csr/csr
sudo ./certs/certreq.sh

So, now I have ca-ecc-cert.pem signed certificate file and ecc_test_blob.raw file (the latter holding the key-pair)

In software, I have done the following:
1. Setup TPM callback using wolfTPM2_CryptoDevCb and wolfSSL_CTX_SetDevId
2. Q. How do I load the buffer as PEM? I did the following:

  • a) Load the keyfile ecc_test_blob.raw into TPM and get back a TPM handle (OK)

  • b) Extract public_key from the above keyblob and store it as a buffer? The public_key is only available under WOLFTPM2_KEYBLOB

I am a bit lost now, because it did not work. All I need is how to get the buffer_key correctly (which I now understand is the public key provided to wolfSSL and private_key is on the TPM itself which will be used via crypto_callback).

if ((wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer_key, buffer_key_size, WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS)
{
    printf("Failed to set the key");   
    return -1;
}

Looking to get this sorted. Its been a sharp learning curve with existing examples and unable to find sufficient wolfTpm signing examples.

Many thanks!

Share

Re: Need help!

Hi tpm2user,

1) Load the TPM public key into a wolfCrypt ecc_key struct: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L226
2) Extract public key as DER: wc_EccPublicKeyToDer: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L363
3) Use DER with wolfSSL_CTX_use_PrivateKey_buffer and WOLFSSL_FILETYPE_ASN1

Thanks,
David Garske, wolfSSL

Share

Re: Need help!

Thanks, will try this and report back.

On a side note, I have an context file generated via tpm2_loadexternal command.

tpm2_loadexternal --hierarchy n \
                  --key-algorithm rsa \
                  --public "$HOME/openssl_public.pem" \
                  --private "$HOME/openssl_private.pem" \
                  --key-context "$HOME/openssl.ctx" \
                  --name "$HOME/openssl.name"

Is there a way that this openssl.ctx file can be loaded using wolfTPM commands? I tried using keyload, but this seems to be a different format:

linux@tpm2user:~/test/wolfTPM/examples/keygen$ file keyblob.bin
keyblob.bin: PDP-11 overlaid pure executable not stripped

linux@tpm2user:~/test/wolfTPM/examples/keygen$ file ~/openssl.ctx
~/openssl.ctx: data

I also tried base64 to convert openssl.ctx:
linux@tpm2user:~/test/wolfTPM/examples/keygen$ file to_b64_openssl.ctx
to_b64_openssl.ctx: ASCII text

Share

Re: Need help!

dgarske wrote:

Hi tpm2user,

1) Load the TPM public key into a wolfCrypt ecc_key struct: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L226

Thanks. For this, I see the functions:

 rc = wolfTPM2_GetKeyTemplate_ECC(..)
 rc = getECCkey(..)

I checked the getECCKey() function. It calls:
createAndLoadKey() and if I understand correctly, it generates its own keys from the TPM and loads the the public part into wolfEccKey object. I tried reading the context file via readKeyBlob and wolfTPM2_LoadKey(.) to receive a handle from TPM and pass it get getECCKey() function, but it failed.

I have my own context file generated by TPM [related to this post: https://www.wolfssl.com/forums/post6650.html#p6650) (which I would like to have loaded externally to TPM. I don't understand how I can go ahead from here by letting TPM know that I already have what it wants.)

Share