tpm2-pkcs11
tpm2-pkcs11 copied to clipboard
ECDSA-SECP256R1 signature failure with openssl
Hi,
I'm getting issue while using EC/ECDSA certificate generation with TPM-PKCS11 and signing with openssl
TPM generated key
Type: Private key (EC/ECDSA-SECP256R1)
Label: greenkey
Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 33:64:33:31:31:31:38:33:66:61:30:64:65:38:66:65
RootCA generated by openssl for verifying TPM generated Device Certficate
openssl ecparam -name secp256k1 -genkey -noout -out rootCA.key
Getting Signature check failure
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256
failed:Signature did not match the certificate request
`I have checked with
`openssl ecparam -list_curves … secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field …
“secp256k1” is supported in openssl but not “secp256r1”. The later is standardized and required by tpm2-pkcs11 as it supports RSA 2048-bit keys and ECDSA P-256 keys. Is it not supported in OpenSSL 1.1.1b ? Why “secp256k1” instead of “secp256r1”?
help will be appreciated.
Regards, kaushendra sah
per https://stackoverflow.com/questions/41950056/openssl1-1-0-b-is-not-support-secp256r1openssl-ecparam-list-curves is prime256v1.
Bu theirs definitely some other issue here with the error failed:Signature did not match the certificate request
. You can look at tests/integration/tls-tests.sh for examples on how to do CSR generation.
Hi @williamcroberts
I have tried with prime256v1 also please see thread
i'm getting the same failed:Signature did not match the certificate request
I'f you could help me with some reference with ecc implementation on specific openssl,pksc11,opensc version it will be a great help
Thanks, kaushendra
That just seems like a mismatch between the public key and private key used to sign. We have scripts that do this in full as I pointed out, and we have all of our docker containers publicly available for use, that test multiple versions. If you can share your script in full so I can run it, I can probably find the error; otherwise, I am debugging your code blind, which is hard.
Hi @williamcroberts
Steps i followed is provided in mentinoed link please refer key and certificate generation using PKCS on TPM2.0
In above link i have been asked to used below checkout version only
cd tpm2-pkcs11/ git checkout a82d0709c97c88cc2e457ba111b6f51f21c22260
Then i'm following section in provided link to generate "Device.csr" this could generate both RSA-2048 and ECDSA-SECP256R1 type keys
Using the PKCS11 Provider for AWS IoT Greengrass hardware security
Type: Private key (EC/ECDSA-SECP256R1) Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 33:64:33:31:31:31:38:33:66:61:30:64:65:38:66:65
After that i followed RootCA Certificate generation and signing with openssl ROOTCA
openssl ecparam -name prime256v1 -genkey -noout -out rootCA.key openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Now during signing Device certificate (Device.csr) with rootCA.pem --sign TPM generated device certificate with register RootCA
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256
I'm getting signature Failure
failed:Signature did not match the certificate request
Same process with RSA-2048 i'm able to do the same process sucessfully,but getting failed with ECDSA
If you could help me at this mentioned issue it would be appreciating.
Thanks, kaushendra
Yeah but that write up is super old and IRC before I had proper EC support. Try off of 1.3.2 and if still doesn't work, then master. If it still doesn't work, post a Then post a script that I can run as a test case.
Hi, you can find a bit more recent version of the write up here https://github.com/Infineon/amazon-greengrass-hsi-optiga-tpm Peter
@kaushendra did you ever get this working?