Reputation: 51
How to verify TPM-generated signatures with OpenSSL?
I'm working with a Trusted Platform Module (TPM) and need to generate a Signing Key (SK) that can be proven to reside within the same TPM as the Attestation Identity Key (AIK). My goal is to enable a server, which does not have a TPM, to verify that the SK originated from my TPM using OpenSSL. Here's what I have accomplished so far:
sudo tpm2_createek -c ek.ctx -G rsa -u ek.pub -P 123
sudo tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub -n ak.name -P 123
sudo tpm2_load -C ek.ctx -u ak.pub -r ak.priv -n ak.name -c ak.ctx
sudo tpm2_createprimary -C o -c primary.ctx -G rsa -P 123
sudo tpm2_create -C primary.ctx -G rsa -u sk.pub -r sk.priv -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth"
sudo tpm2_load -C primary.ctx -u sk.pub -r sk.priv -n sk.name -c sk.ctx
sudo tpm2_certify -C ak.ctx -c sk.ctx -g sha256 -o certify.signature -f plain
After generating the signature, I attempted to verify it using OpenSSL with the following command:
openssl dgst -sha256 -verify ak.pub -signature certify.signature sk.pub
Verification Failure
The certify.signature file is a binary file and I suspect it contains more than just the signature (likely it includes TPM structures). How can I extract just the raw signature from this binary file in a format that OpenSSL can verify?
Any help on how to correctly verify the TPM-generated signature using OpenSSL would be greatly appreciated.
Upvotes: 0
Views: 943
Answers (1)
Reputation: 851
I currently cannot reproduce your problem, but the following should help. Essentially tpm2_readpublic can give you a PEM-formatted key, which seems to be what you need, here.
From the tpm2-tools integration tests:
tpm2 createprimary -Q -C e -g sha256 -G rsa -c primary.ctx -p signedpass
tpm2 create -Q -g sha256 -G rsa:rsassa -u certify.pub -r certify.priv \
-C primary.ctx -P signedpass -p certifypass
tpm2 load -Q -C primary.ctx -P signedpass -u certify.pub -r certify.priv \
-n certify.name -c certify.ctx
tpm2 certify \
-c primary.ctx -P signedpass \
-C certify.ctx -p certifypass \
-g sha256 -o attest.out -f plain -s sig.out
# Verify the signatures with openssl
tpm2 readpublic -Q -c certify.ctx -f pem -o certify.pem
openssl dgst -verify certify.pem -keyform pem -sha256 \
-signature sig.out attest.out
Upvotes: 1
Related Questions
- How to create ECC public key in OpenSSL's "EVP_PKEY" format from the TPM-specific "TPMT_PUBLIC" data structure?
- How to encrypt bytes using the TPM (Trusted Platform Module)
- OpenSSL - Proper RSA Signature Generation and Verification
- Sign a file and verify with OpenSSL
- Verify Java Signature Class Signature With OpenSSL
- Verifying SHA256 signature with OpenSSL in Delphi fails
- How to use result of CryptSignMessage with OpenSSL to verify digital sign