Email certificate from TPM does not show up in Thunderbird (or My shy certificate revisited)

[Stephen Gryphon]

> Private keys generated inside a TPM cannot leave the TPM unless properly
> migrated to another TPM.  It's part of the TPM's design philosophy.

Yes, my only theory was to emulate a virtual TPM, generate the destination key 
and then get the real TPM to generate the migration package. Because I 
generated the destination key I (or the virtual TPM emulator) can also decrypt 
the migration package and hence get access to the original key.

Similarly, I could just get a new free certificate, except either way defeats 
the purpose of having stronger security from a TPM.

> The other thing I am curious about is the contents of the certificate you
> obtained from the CA.  Can you convert the binary base64 encoding to text
> format and post it?

The web page that I pick up the certificate from had some ECMAScript that 
loaded the following data; I think it is a PKCS#7 certificate, presumably the 
signed public key?? (with the private remaining in the TPM). I can't use the 
key now anyway (from Thunderbird), so currently it is useless.

MIIOwgYJKoZIhvcNAQcCoIIOszCCDq8CAQExADALBgkqhkiG9w0BBwGggg6XMIIFyzCCBLOgAwIBAgIRAITz4PQfILMJXmx96ApPjOkwDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgRW1haWwwHhcNMDcwMzI3MDAwMDAwWhcNMDgwMzI2MjM1OTU5WjCB4DE1MDMGA1UECxMsQ29tb2RvIFRydXN0IE5ldHdvcmsgLSBQRVJTT05BIE5PVCBWQUxJREFURUQxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNVBAsTFihjKTIwMDMgQ29tb2RvIExpbWl0ZWQxGDAWBgNVBAMTD1N0ZXBoZW4gR3J5cGhvbjEkMCIGCSqGSIb3DQEJARYVc2dyeXBob25AY29tcHV0ZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGMmn5AhIj5l4y/wYag7l3UUTmNEZPVwDUCig4iwEN796add12uUub2qLpxSsf14IHUv/g/atuuOSuYkRj+/lvr8xUPPkoypmxV1ecpfhqZ8e+dom7hIE8T2v4tahEFBSVVz5mzv+sKbHtzFfYNnMvTLznej+e9C21b9ALtow53QIDAQABo4ICMjCCAi4wHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0OBBYEFL
 
R2sVmVUcyWZBdk6/TyXsG7ABniMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwgYYGCCsGAQUFBwEBBHoweDA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQWRkVHJ1c3RDbGllbnRDQS5jcnQwOQYIKwYBBQUHMAKGLWh0dHA6Ly9jcnQuY29tb2RvLm5ldC9VVE5BZGRUcnVzdENsaWVudENBLmNydDAgBgNVHREEGTAXgRVzZ3J5cGhvbkBjb21wdXRlci5vcmcwDQYJKoZIhvcNAQEFBQADggEBAF6yftXwLEmfxhyIJT7AyxnNg3JwU5RD2iITUCKNk/3itgI+L/fOt3ZXoDGY8OlxOA2jXFeDWfyYG4Qa00J+wwEIbgdx3GX1D9sSLOfbBH88M/xWG4VVKEFgzF0Gc+gB2dKPGQeETBz3GERnq9Q9TQBqUNRP9Hoi1UyHoJUzGcWELmbRQLf3CECB2RjTJ2kQIn6QCX4/tjGMPEsDRl5d8r56WQHQ527+ChOj/0PY6DcJ79Y2ADU6yPXSuz/dFvbweT4CWuULad5A3vYlW7vC62z
 
F8RHuOWWxVn4sn4zCCF1hPmcK2hFhrsgJTQUybaGZPBfgyVZ09oHkQZSe+IipT/AwggSKMIIDcqADAgECAhAn9OoR9HqGxG6du26pFwcHMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMDUwNjA3MDgwOTEwWhcNMjAwNTMwMTA0ODM4WjCBrjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALI5haTyfatBO2JGN67NwWB1vDll+UoaR6K5zEjMapjVTTUZuaRC5c5J4oovHnzSMQfHTrSDZJ0uKdWiZMSFvYVRNXmkTmiQexx6pJKoF/KYFfKTzMmkMpW7DE8wvZigC4vlbhuiRvp4vKJvq1lepS/Pytptqi/rrKGzaqq3Lmc1i3nhHmmI4uZGzaCl6r4LznY6eg6b6vzaJ1s9cx8i5khhxkzzabGoLhu21DEgLLyCio6kDqXXiUP8FlqvHXHXEVnauocNr/rz4cLwpMVnjNbWVDreCqS6A3ezZcj9HtN0YqoYymiTHqGFfvVHZcv4TVcodNI0/zC27vZiMBSMLOsCAwEAAaOB4TCB3jAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
 
A73gJMtUGjAdBgNVHQ4EFgQUiYJnfcSdJnAAS7RQSHzePa4Ebn0wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAGdiJEW8orKYAoueHwZuQA9t+oRL9HvPi8AGplFRCa5oJxKBt15CSBANmeUNx/Phvr9t2ReI3Gj3d5FkEeKwc9ING83rPW4RyLeVGwboYESnzy0l5hzy6bQWdpG1oT61yFDaoubH9v89/8KRqlDVQj8+BbVWx3VkwSt9toJxkH0l87za79ONp9Pg5j1qtS4U6tw7t088NRKL7BL/kL3COJftaVAaz0MS8bY37czIs6ZuEJC3Wf5F6aAJQHw4/TenM9btn6NwcLjv8Ts3+Ao7jqBMKpSZEZekQ8k1Sp67cPsprMlxBbP71XaDq/9H6m4ZYbT2WR+X+LpUEwgDMjqHyuzCCBDYwggMeoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0wMDA1MzAxMDQ4MzhaFw0yMDA1MzAxMDQ4MzhaMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRyd
 
XN0IEV4dGVybmFsIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC39xoz5vIABC054E5b7R+8bA/Ntfojts7emxEzl6QpTH2Tn71KvJPtAxrjj8/lbVBa1pcplFqAsEl62y6V/bjKvzc4LR4+kUGtcFbH8E8/6DKedMrIkFTpxl8PeJ2aQDwOrGGqXhSPnoehalDc15pOrwWzpnGUnHGzUGAKxxOdOAeGAqjpqGkmGJCrTLBPI6s6T4TY386f4Wlvu9dC12tE5Met7m1BX3JacQg3s3llpFmglDf3AC8NwpJy2tA4ctsUqEXEXSp9t7TWxO6szRNEt8kr3UMAJfphuWlqWCMRt6czj1Z1WfXNKddGtworZbbTQm8Vsrh7++/pXVPVNFonAgMBAAGjgdwwgdkwHQYDVR0OBBYEFK29mHo0tCb3+sQmVO8DveAky1QaMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MIGZBgNVHSMEgZEwgY6AFK29mHo0tCb3+sQmVO8DveAky1QaoXOkcTBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290ggEBMA0GCSqGSIb3DQEBBQUAA4IBAQCwm+CFJcLWI+IPlgaSnUGYnNmEeYHZHlsUByM2ZY+w2He7rEFsR2CDUbD5Mj3n/PYmE8eAFqW/WvyHz3h5iSGa4kwHCoY1vPLeUcTSlrfcfk7ucP0cOesMAlEULY69FuDB30Z15ySt7PRCtIWTcBBnup0GNUoY0yt6zFFCoXpj0ea7ocUrwja+Ew3mvWN+eXunCQ1Aq2rdj4rD9vaMGkIFUdRF9Z+nYiFoFSBDPJnnfL0k2KmRF3OIP1
 
YbMTgYtHEPms3IDp6OLhvhjJiDyx8x8URMxgRzSXZgD8f4vReAay7pzEwOWpp5DyAKLtWeYyYeVZKU2IIXWnvQvMePToYEMQA=

> Do you know by the way if you are using the Infineon TPM Professional
> Package?  It seems that they provide the implementation of the CSP provider

As per the original email the relevant PKCS#11 module DLL is IfxTpmCk.dll, "TPM 
Cryptoki Provider", version 2.50.771.0.  The Infineon software came pre-loaded 
on laptop and the readme identifies it as "Infineon TPM Professional Package 
V2.5".

> and the PKCS#11 module.  Among the applications supporting this product that
> they list is MS Outlook.

It is listed as integrating with "etscape Communicator 7.2 and 4.79" (as well 
as Outlook).

Note that Outlook seems to be able to access the certificate (it shows up) and 
sign an email (provided the From address is set correctly). I presume it passes 
whatever it needs to the TPM (via PKCS#11) and gets back the signed bit (the 
private key staying in the TPM).

The main issue seems to be that Thunderbird doesn't see the certificate in the 
first place (in the list).

For the original "shy" problem, someone suggested that the public cert may be 
in MS cert store with only the private key in the TPM, and that one solution 
would be to manually put the public key into Thunderbird.

It would then show up in the list, and Thunderbird would know to pass to the 
TPM for the actual signing??

I tried exporting the public cert from MS cert store. Loading via the TB 
interface it came up under 'other peoples certs', so I was trying to use NSS to 
get it into the main cert store yet linked to the private key in the TPM.


- Sly


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Djalaliev
Sent: Saturday, 31 March 2007 13:27
To: dev-tech-crypto@lists.mozilla.org

> > I am suffering from what appears to be the same problem in ?My shy
> > certificate? from a few months ago:
> >
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_frm/thread/a5e85bc3678e6/24737c620481ede7?lnk=st&q=&rnum=1
>
> > I have an email certificate in my TPM, however it does not show up in
> the
> > certificate list in Thunderbird.
> >
> > Unfortunately, I can not use the solution from the original message as I
> > originally created the certificate in the TPM (I was using MSIE7 and
> > selected the TPM as the CSP to install into), and it looks like the
> private
> > key is stuck in the TPM and I can?t get it out (short of) migrating to
> > another TPM).
> >



Hm, I am not familiar with the Windows implementation of the TPM as a
PKCS#11 module.  Particularly, I am curious about which part of the TPM API
MSIE7 uses to generate the public/private key pair.  However, this is
probably a closed source product...

The other thing I am curious about is the contents of the certificate you
obtained from the CA.  Can you convert the binary base64 encoding to text
format and post it?

Do you know by the way if you are using the Infineon TPM Professional
Package?  It seems that they provide the implementation of the CSP provider
and the PKCS#11 module.  Among the applications supporting this product that
they list is MS Outlook.

Peter
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto