tpm2-openssl icon indicating copy to clipboard operation
tpm2-openssl copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Error when trying to Create a CSR Signed by a Key that has both a Password and Parent Password

Open 13ajay opened this issue 1 year ago • 0 comments

Hi, I'm trying to create a CSR that's signed by a key that has both a password and a parent password, but I'm running into issues. I'm using swtpm on my machine, but I don't believe this should work with a hardware TPM either. Here are the steps that I'm taking (mostly copied and slightly modified from scripts within tests):

# First, create a primary key with a password
tpm2_createprimary -G rsa -g sha256 -p123 -c parent.ctx

# Next, make the handle persistent and save the handle
HANDLE=$(tpm2_evictcontrol -c parent.ctx | cut -d ' ' -f 2 | head -n 1)

# Next, generate a child key with a password, which will be used to sign the CSR
openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -pkeyopt parent:${HANDLE} -pkeyopt parent-auth:123 -pkeyopt user-auth:1234 -out client-key.pem

# And lastly, attempt to create a CSR using that private key file
openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -key client-key.pem -out client-csr.pem -subj '/C=US/ST=Michigan/O=WanderWriter/OU=WanderWriter Certificate Authority/CN=WanderWriter Root CA'

I'm able to get all of the above steps to work other than the last one. When I run the last command, I get the following error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:327:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:115:Esys_Load() Esys Finish ErrorCode (0x0000098e)
Could not read private key from client-key.pem
40D76D0D577B0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:

I tried to supply the parent key password through the environment (TPM2OPENSSL_PARENT_AUTH) to see if that would fix things, but it didn't seem to work either.

If it's helpful, I'm running these commands on an Ubuntu machine, and I installed tpm2-openssl and its dependencies through apt:

libtss2-tcti-tabrmd0 is already the newest version (2.4.0-1).
tpm2-abrmd is already the newest version (2.4.0-1).
tpm2-tools is already the newest version (5.2-1build1).
tpm2-openssl is already the newest version (1.0.1-1ubuntu0.1).

I'm also able to create a CSR without issue when only the child key has a password and not the parent. When I request the CSR, I'm prompted for the child key password so that signing can take place.

Are there any suggestions on how I can get around this? Thanks.

13ajay avatar Sep 12 '24 18:09 13ajay