Import existing keys into TPM for use with openssl

[geobra]

Hi

My usecase is to import existing keys into the TPM to be able to use it for an TLS connection using openssl.

What works so far is to generate a key inside tpm on client and server, generate the certificates and connect:

-> execute on client or server accordingly...
"export TYPE=client|server"

generate key in tpm

tpm2tss-genkey -a rsa $TYPE.tss

gen a cert sign request

openssl req -new -key $TYPE.tss -engine tpm2tss -keyform engine -out $TYPE.csr

gen the certificate

openssl x509 -req -in $TYPE.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out $TYPE-cert.pem -days 365

on server:

openssl s_server -cert server-cert.pem -key server.tss -keyform engine -engine tpm2tss -CAfile ca-root.pem -accept 8443 -Verify 1

on client:

openssl s_client -keyform engine -engine tpm2tss -connect :8443 -cert client-cert.pem -key client.tss -CAfile ca-root.pem

But what I really want is to use existing private key and certificate on the client. So I tried to import my key into the TPM.

generate primary

tpm2_createprimary -G 0x0001 -g 0x000b -H o -C parent.ctx
tpm2_import -C parent.ctx -G 0x0001 -k client-key.pem -u client-key-tpm.pub -r client-key-tpm.priv

But now I have the encrypted parts of the private and public keys in a binary format. I need it in tss format for openssl to be usefull.

Can this be converted?
Where to go from here? Or am I on the wrong path with this approach?

[AndreasFuchsTPM]

This is a duplicate of #12 though title and description are better.
It's a planned feature...

[dwmw2]

And yes... in the meantime, assuming that primary key you generated is the same as the one the engine would generate, you can actually take those binary blobs and put them into a PEM file. How are you at writing ASN.1 structures by hand...? :)

Run openssl asn1parse -in client.tss then replace the OCTET-STRINGs for the pub and priv key with the blobs you have...

[geobra]

Thanks for this information! I am off for one week now and will try this when I am back.

[AndreasFuchsTPM]

Note for implementer: This is about importing keys generated openssl.
Question is: Do we use Esys_Import directly or do we use the result of the tpm2_import command ?
Rather not the tpm2_import result because of the parent key stuff...
What about openssl rsa -engine tpm2tss -in private.pem -outform engine ?
What internal engine function is called then ?
Current error is: bad output format specified for outfile

[williamcroberts]

For the public and private portions of the object returned by tpm2_import or a create command, we just serialize the blob and write to disk. So they would be in the proper format to un- serialize and hand off to ESYS. Perhaps a tool in this project to convert those blobs into the ossl engine format or use them directly and have a different way to provide needed metadata?

[dwmw2]

Whichever on-disk format(s) end up being supported, please ensure they are in one of two categories:

• A format which should be added to http://david.woodhou.se/draft-woodhouse-cert-best-practice.html which we should expect all well-behaved applications to consume.
• Something explicitly not portable or consumable except internally.

Think carefully about whether you should ever do something in the latter category.

[AndreasFuchsTPM]

The tpm2tss-genkey executable shall (in the future) gain 2 import parameters to support importing of OpenSSL-PEM-keys as well as TPM2-keyblobs. Maybe even auto-detectable.

So implementer note: The tpm2_import command from tpm2-tools has some code snippets for reuse here.

[rpofuk]

Try this utility:
https://github.com/rpofuk/tpm2-asn-packer

I used it also to connect OpenVPN to AWS Client VPN

[AndreasFuchsTPM]

There's also some prototype bit-rotting at https://github.com/AndreasFuchsSIT/tpm2-tss-engine/tree/add_tpmkey_import

[dwmw2]

Any chance of picking this up? I'm (finally) adding some TPM testing to OpenConnect and would like to be able to import the existing keys from the test suite.

[hallyn]

Is anyone working on this?