1 (edited by tpm2user 2022-07-15 05:05:20)

Topic: Compatibility between tpm2 and wolftpm!! What Format is wolfTpm using?

Hello,

I have generated a context file (openssl.ctx) with tpm (but via tpm2_tools). I wanted to know IF and HOW exactly can this be used/imported via wolftpm?

1. Use OpenSSL to create the device's public-private key pair, forgoing TPM protections. i.e., the key material is not protected by the parent object's seed.

openssl req -new -newkey rsa:2048 -keyout $HOME/openssl_private.pem -nodes \
            -out "$HOME/openssl.csr" \
            -subj "/C=BE/ST=Belgium/L=Brussels/O=CPP-LS/OU=Development/CN=www.tpm.dev"
 
openssl rsa -in "$HOME/openssl_private.pem" -out "$HOME/openssl_public.pem" -pubout

2. Load the non-protected key pair to the TPM. The private portion of an object can be loaded only to the Null hierarchy or the TPM will reject loading it.

tpm2_clear
 
tpm2_loadexternal --hierarchy n \
                  --key-algorithm rsa \
                  --public "$HOME/openssl_public.pem" \
                  --private "$HOME/openssl_private.pem" \
                  --key-context "$HOME/openssl.ctx" \
                  --name "$HOME/openssl.name"

                  
How can this file (openssl.ctx) be imported into wolftpm? I tried to convert it into base64 and import does not work. And directly importing it always results in Buffer Overflow from wolftpm side.

Many thanks!

Share

Re: Compatibility between tpm2 and wolftpm!! What Format is wolfTpm using?

Hi tpm2user,

I am not familiar with `openssl.ctx` or ` --key-context`, however I can show you have to load an external private key to the null hierarchy.

1) make sure you are using DER format (binary ASN.1, not PEM). Use `-outform der`.
2) Use `wc_RsaPrivateKeyDecode`
3) `wolfTPM2_RsaKey_WolfToTpm_ex` to load into a WOLFTPM2_KEY.

We have an example here:
https://github.com/wolfSSL/wolfTPM/blob … est.c#L431

However I don't have one loading a PEM or DER to the null hierarchy. I'll see about adding an example for this.

Thanks,
David Garske, wolfSSL

Share