Hello,
I’m writing a program that uses the TPM. To implement it, I leverage
libengine-tpm-openssl and create_tpm_key, and some errors occurs.
So, I want to ask about it.
1. create_tpm_key can create a pair of the RSA key with two kinds of the
signature scheme, DER and SHA1. The default is the DER sig scheme, and a user
can change it to SHA1 with the -q option. However, it doesn’t work. When
looking into the source code of create_tpm_key, I figured out that if the -q
option is “DER”, then it sets the signature scheme to SHA1. Is it intentional
or not? The following is a part of cretate_tpm_key source code.
case 'q':
if (!strncasecmp("der", optarg, 3)) {
sig_scheme = TSS_SS_RSASSAPKCS1V15_SHA1;
} else if (strncasecmp("sha", optarg, 3)) {
usage(argv[0]);
}
2. When I generate a RSA key using create_tpm_key with the SHA1 signature
scheme, I cannot create an appropriate CSR with the openssl command. I used the
following command.
$ openssl req -keyform engine -engine tpm -key sk_sha1.blob -new -out
sk_sha1.csr
3074160840:error:80069077:tpm engine:RPM_RSA_PRIV_ENC:invalid message size to
sign:e_tpm.c:1152
I think that if the signature scheme of the generated key is
TSS_SS_RSASSAPKCS1V15_SHA1, then a caller of the tpm_rsa_priv_enc() must pass a
sha1 hash value of the from parameter of this function, but it doesn’t.
To detour this error, I’ve modified the source code to compute a sha1 of the
from parameter and set this value by calling Tspi_Hash_UpdateHashValue instead
of Tspi_Hash_SetHashValue in the tpm_rsa_priv_enc().
In this case, the CSR is generated without any problem. However, when I try to
make a new certificate with the following command, openssl returns an error,
“Signature did not match the certificate request”.
$ openssl x509 -req -in sk_sha1.csr -CA ../ca/root_ca.cert -CAkey
../ca/root_ca.key -CAcreateserial -days 3650 -out sk_sha1.cert
Signature did not match the certificate request
In summary, I want to know whether there is misunderstanding about
libengine-tpm-openssl or not. If it is a bug, could you let me know some hints
about it to fix it?
Regards,
Sungjin.
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
