Request for CSR generation examples using C API #26
Comments
|
Yeah, I may add one or two C examples, but the code is exactly the same as for generating a "standard" CSR, except you have to load the providers first. |
|
Thank you for the prompt reply! And I still have some questions: (1) In addition to loading tpm provder first, do I have to explicitly associate the loaded provider with the comming openssl operations for csr generation? |
|
In detail, if I already obtained an AK handle after createak gets called, what's the proper way to generate csr with such an AK handle using openssl API. The example is about private key outside of TPM |
|
The openssl 3.0 has Concerning the key path: when the TPM provider is loaded the |
|
Thank you! Then the property order to generate csr would be as the following:
Is that correct? |
|
Yes, this looks good to me. |
Sincere appreciation, have a nice day:) |
|
If it doesn't work as expected, just let me know. I will keep this issue open until I write some more C examples. |
|
Sure, I will. |
|
From your proposal, I had a line of "FILE *fp = fopen("handle:0x81110003", "r");" where 0x81110003 is an existing key handle retrieved from "tpm2_getcap handles-persistent". Out of expectation, the fp results in a NULL pointer. Could you help to confirm it's the proper way to load key into EVP_PKEY object? |
|
Oops, sorry. You cannot use the standard |
|
Oh, I see. It uses a while loop to consistently output he data read from the store. But if I tried with OSSL_STORE_INFO_get0_PKEY and return a EVP_PKEY object, do I still need the while loop? If so, how do I get the ultimate EVP_PKEY object considering the temporary EVP_PKEY object inside each iteration? |
I remote the while loop since from my purpose is to get the exact one key, and that seems to succeed. |
|
The |
|
So the EVP_PKEY loading code should looks as follows: EVP_PKEY *pub_key = NULL; Does it follow the expectation? |
|
Plus on the beginning: and at the end plus you should probably handle the errors, i.e. call |
|
Thanks! |
|
Hi @gotthardp, I was getting to programmatically to generate csr using tpm2-openssl. Now I'm getting error from OSSL_STORE_load, and from the stack the culprit seems to be this line of code: https://github.com/openssl/openssl/blob/89cd17a031e022211684eb7eb41190cf1910f9fa/crypto/store/store_result.c#L209 The provider retrieved from keymgmt is not the one loaded from OSSL_STORE_LOAD. Since the key used for signing CSR creates before OSSL_STORE_LOAD, does it mean I have to follow such an order, aka OSSL_STORE_LOAD ==> Generate TPM key ==> Generate CSR with OpenSSL? Also I've tested against the mentioned order, and the application failed on key generation, specifically tpm2_createprimary. Look forward to your insignts, thank you |
|
Here's my code snippet: if ((ctx = OSSL_STORE_open(tpm_key_path.c_str(), nullptr, nullptr, nullptr, nullptr)) == nullptr) { while (!OSSL_STORE_eof(ctx)) { |
|
The aforementioned issues gets resolved by creating my own specific context (aka OSSL_LIB_CTX). Loading provider as well as opening store with such a context, then the OSSL_STORE_load returns success. I took some time to see why the provider check on store_result.c:199 not work as expected by stepping into openssl code, although failed to achieved much progress. Anyway thanks for your help, and I think this issue could be closed. |
Hi,
Could you add a C API that instructs the way of CSR generation using TPM provider even though there's an existing one in openssl executable?
The text was updated successfully, but these errors were encountered: