Hi tpm2user,

1) Load the TPM public key into a wolfCrypt ecc_key struct: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L226

Thanks. For this, I see the functions:

 rc = wolfTPM2_GetKeyTemplate_ECC(..)
 rc = getECCkey(..)

I checked the getECCKey() function. It calls:
createAndLoadKey() and if I understand correctly, it generates its own keys from the TPM and loads the the public part into wolfEccKey object. I tried reading the context file via readKeyBlob and wolfTPM2_LoadKey(.) to receive a handle from TPM and pass it get getECCKey() function, but it failed.

On a side note, I have an context file generated via tpm2_loadexternal command.

tpm2_loadexternal --hierarchy n \
                  --key-algorithm rsa \
                  --public "$HOME/openssl_public.pem" \
                  --private "$HOME/openssl_private.pem" \
                  --key-context "$HOME/openssl.ctx" \
                  --name "$HOME/openssl.name"

Is there a way that this openssl.ctx file can be loaded using wolfTPM commands? I tried using keyload, but this seems to be a different format:

1) Load the TPM public key into a wolfCrypt ecc_key struct: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L226
2) Extract public key as DER: wc_EccPublicKeyToDer: https://github.com/wolfSSL/wolfTPM/blob … ent.c#L363
3) Use DER with wolfSSL_CTX_use_PrivateKey_buffer and WOLFSSL_FILETYPE_ASN1

Thanks,
David Garske, wolfSSL

I looked at the TLS example, there were some minor changes since the last time I saw it.

To get the basics right, I did the following:

# Generate keypair on TPM and generate ECC signed certificate for use:

sudo ./examples/keygen/keygen ecc_test_blob.raw -ecc -t
sudo ./examples/csr/csr
sudo ./certs/certreq.sh

So, now I have ca-ecc-cert.pem signed certificate file and ecc_test_blob.raw file (the latter holding the key-pair)

In software, I have done the following:
1. Setup TPM callback using wolfTPM2_CryptoDevCb and wolfSSL_CTX_SetDevId
2. Q. How do I load the buffer as PEM? I did the following:

• a) Load the keyfile ecc_test_blob.raw into TPM and get back a TPM handle (OK)

• b) Extract public_key from the above keyblob and store it as a buffer? The public_key is only available under WOLFTPM2_KEYBLOB

I am a bit lost now, because it did not work. All I need is how to get the buffer_key correctly (which I now understand is the public key provided to wolfSSL and private_key is on the TPM itself which will be used via crypto_callback).

if ((wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer_key, buffer_key_size, WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS)
{
    printf("Failed to set the key");   
    return -1;
}

Looking to get this sorted. Its been a sharp learning curve with existing examples and unable to find sufficient wolfTpm signing examples.

Many thanks!

1) For wolfSSL when using a TPM private key for TLS you need to extract the public key and pass it to the `wolfSSL_CTX_use_PrivateKey_*` function. The TLS examples were all updated recently to do this. See PR https://github.com/wolfSSL/wolfTPM/pull/210
The use_PrivateKey functions support variations to allow using a file or buffer as PEM or DER.

2) The crypto callback requires registering a callback function (like wolfTPM2_CryptoDevCb) with a devId value. Then you use `wolfSSL_CTX_SetDevId` to tell the TLS layer and all internal keys to use the crypto callback.

Thanks,
David Garske, wolfSSL

This is my first post in this forum. The earliest post on tpm.dev went unanswered. I hope someone can help clarify here. My question is two-fold:

FIRST: I wish to have equivalent of the below function, but for TPM:

if (wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, WOLFSSL_FILETYPE_PEM)   != SSL_SUCCESS)
{
    // Turn off TLS
    return 0;
} 

Note: Here, KEY_FILE is a plain .crt text file on filesystem containing a private key. (This was used prior to TPM present on hardware).

SECOND: Regarding signing inside of TPM2 chip, I see i could use the following function:

/* [This is part of wolftpm2/tls/tls_server.c example:
* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS server auth.
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, buffer_size, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) 
{
..
}

It seems for the above function to use TPM2, we need to enable Crypto-callback and TPM2 should take care of signing using the callback. The following are the Steps I followed:

1. Generated raw file using keygen tool in wolftpm/examples (I renamed it to keyblob.bin)
2. I imported this to TPM to receive a temporary TPM2 handle (which went OK).
3. I have a public certificate (named test.crt) which contains public key (signed using CSR by Certificate Authority). so, this public certificate corresponds to the CSR generated by TPM for this private key.
4. I have enabled the crypto-dev callbacks.

So, now I have the TPM2 handle and certificate file. How can i register to the above buffer function using these for signing operations? In code I did:

readKeyblob -> get the private key
wolftpm2_load -> get the handle for the key stored by TPM
wolfSSL_CTX_use_PrivateKey_buffer -> The parameters were (ctx, keyBlob.priv.buffer, sizeof(keyBlob.priv.size)

What am I doing wrong?