Using a TPM to sign CSRs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Using a TPM to sign CSRs

Kaarthik Sivakumar

Hello

I need to create a key pair using a TPM (proprietary) and build a CSR and sign it using it the TPM as well. Currently I dont have an engine interface to talk to the TPM. I do the following:

1. generate key pair in the TPM. private key is kept private in the TPM and public key can be obtained out of the TPM

2. use the public key to generate a CSR (X509_REQ_init(), etc)

3. Get the hash of the CSR (X509_REQ_digest())

4. Pass the digest to the TPM and get back signature

5. Add signature to the CSR - I dont see any way to do this. Is there an openssl API to perform this step? I dont think I can use X509_REQ_sign() since that will use the private key provided or if I have an engine interface then it will call the engine to do the signing. Is there a way to call sign() and make it call my function that can do the step 4 above?

Thanks!


-kaarthik-


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using a TPM to sign CSRs

William Roberts
On Tue, Jul 24, 2018 at 4:18 AM, Kaarthik Sivakumar
<[hidden email]> wrote:
> Hello
>
> I need to create a key pair using a TPM (proprietary) and build a CSR and

What TPM Version?

If it's TPM 2.0, a new Engine project has emerged here:
https://github.com/tpm2-software/tpm2-tss-engine

This might be able to handle to just calling the create CSR routine. I
know back-in-
the-day the OpenSC engine with a PIV card could do it.

You can try to get  ahold of the maintainer of that project (Andraes) through
a direct email or the project mailing list:
  - https://lists.01.org/mailman/listinfo/tpm2

> sign it using it the TPM as well. Currently I dont have an engine interface
> to talk to the TPM. I do the following:
>
> 1. generate key pair in the TPM. private key is kept private in the TPM and
> public key can be obtained out of the TPM
>
> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
>
> 3. Get the hash of the CSR (X509_REQ_digest())
>
> 4. Pass the digest to the TPM and get back signature
>
> 5. Add signature to the CSR - I dont see any way to do this. Is there an
> openssl API to perform this step? I dont think I can use X509_REQ_sign()
> since that will use the private key provided or if I have an engine
> interface then it will call the engine to do the signing. Is there a way to
> call sign() and make it call my function that can do the step 4 above?
>
> Thanks!
>
>
> -kaarthik-
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using a TPM to sign CSRs

Kaarthik Sivakumar

On 25/07/18 20:58, William Roberts wrote:
On Tue, Jul 24, 2018 at 4:18 AM, Kaarthik Sivakumar
[hidden email] wrote:
Hello

I need to create a key pair using a TPM (proprietary) and build a CSR and
What TPM Version?

If it's TPM 2.0, a new Engine project has emerged here:
https://github.com/tpm2-software/tpm2-tss-engine

Yep 2.0.

This might be able to handle to just calling the create CSR routine. I
know back-in-
the-day the OpenSC engine with a PIV card could do it.

You can try to get  ahold of the maintainer of that project (Andraes) through
a direct email or the project mailing list:
  - https://lists.01.org/mailman/listinfo/tpm2

Ok, thanks for the info.

-kaarthik-


      
sign it using it the TPM as well. Currently I dont have an engine interface
to talk to the TPM. I do the following:

1. generate key pair in the TPM. private key is kept private in the TPM and
public key can be obtained out of the TPM

2. use the public key to generate a CSR (X509_REQ_init(), etc)

3. Get the hash of the CSR (X509_REQ_digest())

4. Pass the digest to the TPM and get back signature

5. Add signature to the CSR - I dont see any way to do this. Is there an
openssl API to perform this step? I dont think I can use X509_REQ_sign()
since that will use the private key provided or if I have an engine
interface then it will call the engine to do the signing. Is there a way to
call sign() and make it call my function that can do the step 4 above?

Thanks!


-kaarthik-


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using a TPM to sign CSRs

Devang Kubavat-2
In reply to this post by Kaarthik Sivakumar
Hi Kaarhik,

Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is OpenSSL TPM Engine. It will help to offload all crypto operation to TPM.

Regards,
Devang.

On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar <[hidden email]> wrote:

Hello

I need to create a key pair using a TPM (proprietary) and build a CSR and sign it using it the TPM as well. Currently I dont have an engine interface to talk to the TPM. I do the following:

1. generate key pair in the TPM. private key is kept private in the TPM and public key can be obtained out of the TPM

2. use the public key to generate a CSR (X509_REQ_init(), etc)

3. Get the hash of the CSR (X509_REQ_digest())

4. Pass the digest to the TPM and get back signature

5. Add signature to the CSR - I dont see any way to do this. Is there an openssl API to perform this step? I dont think I can use X509_REQ_sign() since that will use the private key provided or if I have an engine interface then it will call the engine to do the signing. Is there a way to call sign() and make it call my function that can do the step 4 above?

Thanks!


-kaarthik-


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using a TPM to sign CSRs

William Roberts


On Sat, Jul 28, 2018, 09:13 Devang Kubavat <[hidden email]> wrote:
Hi Kaarhik,

Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is OpenSSL TPM Engine. It will help to offload all crypto operation to TPM.

Is this for tpm2.0?


Regards,
Devang.

On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar <[hidden email]> wrote:

Hello

I need to create a key pair using a TPM (proprietary) and build a CSR and sign it using it the TPM as well. Currently I dont have an engine interface to talk to the TPM. I do the following:

1. generate key pair in the TPM. private key is kept private in the TPM and public key can be obtained out of the TPM

2. use the public key to generate a CSR (X509_REQ_init(), etc)

3. Get the hash of the CSR (X509_REQ_digest())

4. Pass the digest to the TPM and get back signature

5. Add signature to the CSR - I dont see any way to do this. Is there an openssl API to perform this step? I dont think I can use X509_REQ_sign() since that will use the private key provided or if I have an engine interface then it will call the engine to do the signing. Is there a way to call sign() and make it call my function that can do the step 4 above?

Thanks!


-kaarthik-


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users