Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot export externally created private key and then import it again #101

Open
Tyrrx opened this issue Dec 19, 2023 · 4 comments
Open

Cannot export externally created private key and then import it again #101

Tyrrx opened this issue Dec 19, 2023 · 4 comments

Comments

@Tyrrx
Copy link

Tyrrx commented Dec 19, 2023

Hi, I am trying to import the externally create private key of a certificate into the TPM, then export it as TSS2 and re import it again but this does not work.

What I did first, was importing the external key using the tpm-tools:

parent=0x81000000
idevid=0x81000001

tpm2_createprimary -c tpm/primary.ctx 
tpm2_evictcontrol -c tpm/primary.ctx $parent

tpm2_import -C tpm/primary.ctx -G ecc -i idevid/idevid.key.pem -u tpm/idevid.pub -r tpm/idevid.priv --passin pass:mypw
tpm2_load -C $parent -u tpm/idevid.pub -r tpm/idevid.priv -c tpm/idevid.ctx
tpm2_evictcontrol -c tpm/idevid.ctx -o tpm/idevid.hdl $idevid

I was able to use the private key to e.g. create a mTLS session using the uri object:tpm/idevid.hdl with the OSSL provider API.

Then I tried to export the private key via an encoder which gave me a TSS2 private key file that looked fine at the first view.
But when I tried to load the private key from the previously exported TSS2, I got the following error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001d5) 

After that I tried not to persist the imported key by using:

tpm2_createprimary -c tpm/primary.ctx 

tpm2_import -C tpm/primary.ctx -G ecc -i idevid/idevid.key.pem -u tpm/idevid.pub -r tpm/idevid.priv --passin pass:mypw
tpm2_encodeobject -C tpm/primary.ctx  -u tpm/idevid.pub -r tpm/idevid.priv -o tpm/idevid.tss

And then use the TSS2 file create by the tpm-tools but then I get the error:

WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 

Also running:

tpm2_loadexternal -r tpm/idevid.tss -c tpm/idevid.ctx
tpm2_evictcontrol -c tpm/idevid.ctx -o tpm/idevid.hdl $idevid

Gave me the error:

WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x00000282) 
ERROR: Esys_EvictControl(0x282) - tpm:handle(2):inconsistent attributes
ERROR: Unable to run tpm2_evictcontrol

So my question: What am I doing wrong here or is this even possible?

Another thing that confuses me: When I created a new key using the TPM provider everything just worked. I was able to export it as TSS2 and import it again without any issues.

@gotthardp
Copy link
Contributor

Hello. Please provide enough information so I can reproduce this issue.

@Tyrrx
Copy link
Author

Tyrrx commented Dec 19, 2023

@gotthardp I'm typing.. :D I accidentally posted too early

@Tyrrx
Copy link
Author

Tyrrx commented Dec 19, 2023

@gotthardp Now I added the description. Sorry for that.

@Tyrrx Tyrrx changed the title Cannot export load exported tss3private Cannot export externally created private key Dec 19, 2023
@Tyrrx Tyrrx changed the title Cannot export externally created private key Cannot export externally created private key and then import it again Dec 19, 2023
@Danigaralfo
Copy link

Hello. @Tyrrx did you find any solution? Having the same issue with an Apache server here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants