sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

openssl: Could not find private key of key from PK.key (TPM)

Open m00nwtchr opened this issue 1 year ago • 2 comments

I'm trying to integrate sbctl with systemd-measure, as it would be nice if I could re-use the sbctl keys to sign the PCR policy as well. However, currently I'm stuck on trying to read the tpm-shielded private Platform Key file using openssl:

# openssl pkey -provider tpm2 -provider base -in PK.key -pubout -out testkey.pub
Could not find private key of key from PK.key
809BB60538750000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:

I confirmed that this command works with keys I've generated myself, but I can't get it to work with the sbctl created keys. (Except for normal file keys)

m00nwtchr avatar Nov 01 '24 15:11 m00nwtchr

Probably this issue here: https://github.com/tpm2-software/tpm2-openssl/issues/120

Foxboron avatar Nov 01 '24 15:11 Foxboron

If you simply need a tpm2 provider then the (slightly misnamed) openssl_tpm2_engine should give you one that supports almost all of the spec:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/

It's also build by openSUSE if you need rpms:

https://build.opensuse.org/package/show/security:tls/openssl_tpm2_engine

jejb avatar Sep 23 '25 16:09 jejb