Topic: Signing using RSA attestation (restricted signing) key
In the examples (CSR, TLS) I discovered that the RSA key created for signing is both signing and decryption key, which per the TCG specification must not be restricted. When I tried using a restricted signing key instead (made using wolfTPM2_GetKeyTemplate_RSA_AIK), I got the "TPM2_RSA_Decrypt failed" error. I suspect this is because wolfSSL signs using the Decrypt operation. OpenSSL does the same. This means that (due to this hack) a restricted RSA signing key will not work for signing operations using wolfTPM/SSL (nor OpenSSL). Am I right?
The situation feels quite sad because the TCG TPM Provisioning Guidelines introduce various attestation and identity keys AIK/IDevID/LDevID, which are required to be restricted signing keys.