TLS hanshake fails when the server chain contains certificate with tpm not supported key (0x000002c4 esys error) #113
Description
Establishing tls session shows issue with server chain verification if tpm2 provider is used:
# openssl s_client -provider tpm2 -provider default -connect www.google.com:443
CONNECTED(00000008)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
WARNING:esys:../tpm2-tss-3.2.2/src/tss2-esys/api/Esys_LoadExternal.c:314:Esys_LoadExternal_Finish() Received TPM Error
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/api/Esys_LoadExternal.c:108:Esys_LoadExternal() Esys Finish ErrorCode (0x000002c4)
depth=1 C = US, O = Google Trust Services, CN = WR2
verify error:num=7:certificate signature failure
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
0 s:CN = www.google.com
i:C = US, O = Google Trust Services, CN = WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: May 13 07:36:13 2024 GMT; NotAfter: Aug 5 07:36:12 2024 GMT
1 s:C = US, O = Google Trust Services, CN = WR2
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Mentioned also in tpm-2-0-based-tls-handshake-fails-against-rsa-4k-server-keys-out-of-range stack overflow post