tpm2-software/tpm2-tss

Create private key in TPM and use it without password prompt

Opened this issue · 3 comments

Expected Behavior
I want to start openssl server with tpm2tss engine that uses a private key stored in TPM without prompt for password.
Hint: The prompt should have been supressed by: Enable emptyAuth detection for noda persistent keys #55
Please can you tell me how I shall create a key to avoid password prompt by tpm2tss engine?

Test
I have created the key with NODA and stored in TPM with handle 0x81010101
tpm2_create -C primary.ctx -G rsa -u key.pub -r key.priv -a "decrypt|sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"

With tpm2tss engine, the server starts and asks for password.
openssl s_server -cert secrets/localhost.crt -key 0x81010101 -keyform engine -engine tpm2tss -accept 4443

For comparison with tpm2 provider, the server starts without prompt.
openssl s_server -provider tpm2 -provider default -propquery ?provider=tpm2 -accept 4443 -www -key handle:0x81010101 -cert secrets/localhost.crt

Context
gRPC supports OpenSSL engine only and the password prompt is not implemented in gRPC code.

According to

https://github.com/tpm2-software/tpm2-tss-engine/blob/3d010240b5afbabbf54c35d6c0f6e92ed0a0c0ea/src/tpm2-tss-engine-common.c#L250-L258

this should also be handled correctly for the tpm2-tss-engine.

No idea why this is not working for you here.

Could you call tpm2_readpublic on the persistent key handle just to double check ?

Yes, I can execute tpm2_readpublic just it is not the problem.
We could not execute openssl s_server without password prompt

We have found that openssl s_server option -pass pass helps to suppress the password prompt. Just the same must be supported by MQTT and gRPC, wgihc run on top of openssl. This we are trying now with mosquitto ...

I still wonder why tpm2tss asks for password where tpm2 does not.

The password is suppressed with option -pass pass:
So the following command works smoothly: openssl s_server -accept 443 -cert mycert.pem -key 0x81010001 -engine tpm2tss -keyform engine -pass pass:

Just my original environment is gRPC, where I still do not know how to suppress the password prompt by gRPC configuration.