Cannot wrap existing keys #12

dwmw2 · 2018-10-02T13:31:03Z

The original TPM1 and TPM2 engines come with a create_tpm{2,}_key tool which can "wrap" existing keys.

I tried using a key wrapped by openssl_tpm2_engine and converting it to the PEM format used by tpm2-tss-engine, but there's more to it than the file format, it seems:

This works:

openssl s_client -engine tpm2 -keyform engine -key machine.tss -cert machine.crt -connect $SERVER:443

 $ openssl asn1parse -in machine.tss
    0:d=0  hl=4 l= 503 cons: SEQUENCE          
    4:d=1  hl=2 l=   5 prim: OBJECT            :2.23.133.10.2
   11:d=1  hl=2 l=   3 cons: cont [ 0 ]        
   13:d=2  hl=2 l=   1 prim: BOOLEAN           :1
   16:d=1  hl=2 l=   6 cons: cont [ 1 ]        
   18:d=2  hl=2 l=   4 prim: INTEGER           :40000001
   24:d=1  hl=4 l= 284 cons: cont [ 2 ]        
   28:d=2  hl=4 l= 280 prim: OCTET STRING      [HEX DUMP]:01160001000B000204400000001000100800000000000100C696B23A22C1516E22352CD1309A48BD7E6F054EE10BB7265BFC3BC85B622E75B658A03E15BB74CD9C542C4CEA22337467913058B3711E6EF6CB4C8DA9B496E5888346B058426D645398613BF9BCE907947E63B5B4CD4ABA1FFC2EA396BEC0A7F3F1FEDF022966CED43C070B2000BEEEE7BB82375A4E1C1558E7FC7139DCEE9C6055C3332D50572E14A0747B907440598C93B77F356689EE71ACDAECA9C1FF33C74106CD8C23ACA4613F4D234A4C10A1D7AA3E469493A541838D40A065B17FD23F7D75A5F9BD29F59566BB7D450E970269FD90F914FFF0CE44D526D4914C32F35AD9A2C6BAF7F77BAAA0B4B77F80C29C683764BAFADEAFC397D344DB2ABF996D
  312:d=1  hl=3 l= 192 prim: OCTET STRING      [HEX DUMP]:00BE00204463515A27FC3B773B53F28C04C147D78991B02E7B2FAFE0E96FA11E79692FCA0010DE02ADCCECCADBA51D1C71283A37FFD608D0979B994054031FF7475505EBC0D45CB6808A93D83C64051CA06043721D55D8FE514BDD997CB8B26199B62D2E8517C1DE5293AC6ED97EF278F648B072855B73B2D32CB2B39315FA40FA6AAF618038D6F880465083A1140DF9792448F6D888C912A797EE943912E0EC78B9576748822580ABECE5D02B973DAF1C0F7CE15DC56D3BB15E9AE7FADDB7C2

Converting that to the format used by the new engine:

 $ cat tpm2-engine.tss
-----BEGIN TSS2 PRIVKEY BLOB v1-----
BIHAAL4AIERjUVon/Dt3O1PyjATBR9eJkbAuey+v4OlvoR55aS/KABDeAq3M7MrbpR0ccSg6N//W
CNCXm5lAVAMf90dVBevA1Fy2gIqT2DxkBRygYENyHVXY/lFL3Zl8uLJhmbYtLoUXwd5Sk6xu2X7y
ePZIsHKFW3Oy0yyys5MV+kD6aq9hgDjW+IBGUIOhFA35eSRI9tiIyRKnl+6UORLg7Hi5V2dIgiWA
q+zl0CuXPa8cD3zhXcVtO7Femuf63bfC
-----END TSS2 PRIVKEY BLOB v1-----
-----BEGIN TSS2 PUBKEY BLOB v1-----
BIIBGAEWAAEACwACBEAAAAAQABAIAAAAAAABAMaWsjoiwVFuIjUs0TCaSL1+bwVO4Qu3Jlv8O8hb
Yi51tligPhW7dM2cVCxM6iIzdGeRMFizcR5u9stMjam0luWIg0awWEJtZFOYYTv5vOkHlH5jtbTN
Srof/C6jlr7Ap/Px/t8CKWbO1DwHCyAAvu7nu4I3Wk4cFVjn/HE53O6cYFXDMy1QVy4UoHR7kHRA
WYyTt381Zonucaza7KnB/zPHQQbNjCOspGE/TSNKTBCh16o+RpSTpUGDjUCgZbF/0j99daX5vSn1
lWa7fUUOlwJp/ZD5FP/wzkTVJtSRTDLzWtmixrr393uqoLS3f4DCnGg3ZLr63q/Dl9NE2yq/mW0=
-----END TSS2 PUBKEY BLOB v1-----
 $ head tpm2-engine.tss  | openssl asn1parse 
    0:d=0  hl=3 l= 192 prim: OCTET STRING      [HEX DUMP]:00BE00204463515A27FC3B773B53F28C04C147D78991B02E7B2FAFE0E96FA11E79692FCA0010DE02ADCCECCADBA51D1C71283A37FFD608D0979B994054031FF7475505EBC0D45CB6808A93D83C64051CA06043721D55D8FE514BDD997CB8B26199B62D2E8517C1DE5293AC6ED97EF278F648B072855B73B2D32CB2B39315FA40FA6AAF618038D6F880465083A1140DF9792448F6D888C912A797EE943912E0EC78B9576748822580ABECE5D02B973DAF1C0F7CE15DC56D3BB15E9AE7FADDB7C2
 $ tail -7 tpm2-engine.tss  | openssl asn1parse 
    0:d=0  hl=4 l= 280 prim: OCTET STRING      [HEX DUMP]:01160001000B000204400000001000100800000000000100C696B23A22C1516E22352CD1309A48BD7E6F054EE10BB7265BFC3BC85B622E75B658A03E15BB74CD9C542C4CEA22337467913058B3711E6EF6CB4C8DA9B496E5888346B058426D645398613BF9BCE907947E63B5B4CD4ABA1FFC2EA396BEC0A7F3F1FEDF022966CED43C070B2000BEEEE7BB82375A4E1C1558E7FC7139DCEE9C6055C3332D50572E14A0747B907440598C93B77F356689EE71ACDAECA9C1FF33C74106CD8C23ACA4613F4D234A4C10A1D7AA3E469493A541838D40A065B17FD23F7D75A5F9BD29F59566BB7D450E970269FD90F914FFF0CE44D526D4914C32F35AD9A2C6BAF7F77BAAA0B4B77F80C29C683764BAFADEAFC397D344DB2ABF996D

Connecting with it doesn't work though:

$ openssl s_client -engine tpm2tss -keyform engine -key tpm2-engine.tss -cert machine.crt -connect $SERVER:443
Initializing
engine "tpm2tss" set.
Loading private key tpm2-engine.tss
get_auth called for object user key with ui_method 0x5602c00e9dc0
Enter password for user key:
password is 
Loaded key uses alg-id 1
Creating RSA key object.
Created RSA key object.
TPM2 Key loaded
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so 
error setting private key
140314406293952:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:295:

The text was updated successfully, but these errors were encountered:

AndreasFuchsTPM · 2018-10-02T16:05:45Z

I guess your workaround not working is related to #11 though.

As for "importing" or "wrapping" existing keys: Patches are highly welcome.
Starting points would be:

dwmw2 · 2018-10-02T16:13:46Z

I think my workaround covers the storage format differences, but ultimately fails because the two engines use different keys as the parent of the wrapped/generated key.

AndreasFuchsTPM · 2018-10-18T10:46:46Z

Only issue left for full support is #36
I'll close this one for now, since the other 2 issues (PEM format and empty-password) have been adressed.

dwmw2 · 2018-10-18T11:13:15Z

Did I miss support for wrapping existing keys (as opposed to creating new ones in the TPM)?

Right now I use the other engine's tool, since we fixed compatibility... But don't we want tpm2tss-genkey to do it too?

AndreasFuchsTPM · 2018-10-18T12:09:08Z

Oh, ok... sorry, i missed that part...

dwmw2 · 2018-10-18T12:17:03Z

Sorry, I wasn't stunningly coherent with the way I opened the ticket, talking mostly about my attempts to work around it.

AndreasFuchsTPM · 2018-10-18T15:13:48Z

It's fine...
So wrapping as a feature is the goal of this ticket.

AndreasFuchsTPM · 2018-10-25T03:33:10Z

I'll close this one for #39, which is a duplicate with a better description...

dwmw2 mentioned this issue Oct 2, 2018

Asked for password when none required #13

Closed

AndreasFuchsTPM added help wanted Extra attention is needed enhancement New feature or request labels Oct 2, 2018

AndreasFuchsTPM closed this as completed Oct 18, 2018

AndreasFuchsTPM reopened this Oct 18, 2018

AndreasFuchsTPM mentioned this issue Oct 25, 2018

Import existing keys into TPM for use with openssl #39

Open

AndreasFuchsTPM closed this as completed Oct 25, 2018

t-higuchi mentioned this issue Aug 16, 2019

tpm2_import: add support for ECC parent key tpm2-software/tpm2-tools#1675

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot wrap existing keys #12

Cannot wrap existing keys #12

dwmw2 commented Oct 2, 2018

AndreasFuchsTPM commented Oct 2, 2018

dwmw2 commented Oct 2, 2018 •

edited

Loading

AndreasFuchsTPM commented Oct 18, 2018

dwmw2 commented Oct 18, 2018

AndreasFuchsTPM commented Oct 18, 2018

dwmw2 commented Oct 18, 2018

AndreasFuchsTPM commented Oct 18, 2018

AndreasFuchsTPM commented Oct 25, 2018

Cannot wrap existing keys #12

Cannot wrap existing keys #12

Comments

dwmw2 commented Oct 2, 2018

AndreasFuchsTPM commented Oct 2, 2018

dwmw2 commented Oct 2, 2018 • edited Loading

AndreasFuchsTPM commented Oct 18, 2018

dwmw2 commented Oct 18, 2018

AndreasFuchsTPM commented Oct 18, 2018

dwmw2 commented Oct 18, 2018

AndreasFuchsTPM commented Oct 18, 2018

AndreasFuchsTPM commented Oct 25, 2018

dwmw2 commented Oct 2, 2018 •

edited

Loading