You don't need access to TPM at all in order to verify the signature or
encrypt. Everything can be done by OpenSSL alone and you only require TPM to
sign and decrypt. I think even internally trousers uses OpenSSL when verifying
signatures. So, just treat the certificate signed with TPM engine as any other
certificate. Here is snippet from one of my libraries:
static gboolean
_verify (AkCryptoX509Ctx *ctx, X509 *cert, gchar *expected_subject_ou, gpointer
pub_key, gsize *pub_key_size)
{
gboolean ret = FALSE;
X509_STORE_CTX *store_ctx = NULL;
EVP_PKEY *evp_pkey;
RSA *rsa;
gint x;
gint crit;
gint ext_idx;
store_ctx = X509_STORE_CTX_new ();
if (!store_ctx) {
g_critical (G_STRLOC ": Failed to create a certificate store context.");
goto done;
}
if (!X509_STORE_CTX_init (store_ctx, ctx->x509_store, cert, 0)) {
g_critical (G_STRLOC ": Failed to initialize a certificate store context.");
goto done;
}
/* verify the certificate */
x = X509_verify_cert (store_ctx);
/* cleanup as soon as possible */
X509_STORE_CTX_cleanup (store_ctx);
if (x <= 0) {
g_critical (G_STRLOC ": %s", X509_verify_cert_error_string (store_ctx->error));
goto done;
}
...
after that point I verify specific certificate attributes but as certificate
validation concerns - you are done.
----- Original Message -----
> From: "eye two are" <[email protected]>
> To: [email protected]
> Sent: Tuesday, March 8, 2016 3:24:06 AM
> Subject: [TrouSerS-users] Verifying a signature using public key from
> X509 certificate
> I am trying to verify a signature using a public key from an X509
> certificate generated with the tpm engine.
> What i tried to do is to load the cert from the certificate file into
> a X509 type variable using PEM_read_bio_X509 and convert it into an
> EVP_PKEY type using X509_get_pubkey.
> How do i then convert the EVP_PKEY into a public key usable with the
> signature verification function Tspi_Hash_VerifySignature?
> This is what i am trying and it does not seem to be working:
> UINT32 convertPubKeyToByte(tpmArgs tpm, EVP_PKEY* pkey, BYTE**
> pkeyByte) {
> int modulusLen;
> int exponentLen;
> BYTE *modulus = malloc(256);
> BYTE *exponent = malloc(256);
> BYTE *pubKeyByte = NULL;
> RSA* rsa;
> TSS_HKEY hKey;
> TSS_FLAG initFlags;
> TSS_RESULT result;
> UINT32 pubKeySize;
> rsa = EVP_PKEY_get1_RSA(pkey);
> modulusLen = BN_bn2bin(rsa->n, (unsigned char*)modulus);
> exponentLen = BN_bn2bin(rsa->e, (unsigned char*)exponent);
> initFlags = TSS_KEY_TYPE_LEGACY |
> TSS_KEY_SIZE_2048 |
> TSS_KEY_NO_AUTHORIZATION |
> TSS_KEY_MIGRATABLE;
> result = Tspi_Context_CreateObject(tpm.hContext,
> TSS_OBJECT_TYPE_RSAKEY,
> initFlags,
> &hKey);
> DBG("Create key object", result);
> result = Tspi_SetAttribUint32(hKey,
> TSS_TSPATTRIB_KEY_INFO,
> TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
> PADDING_SCHEME);
> DBG("Set the key's padding type", result);
> result = Tspi_SetAttribData(hKey,
> TSS_TSPATTRIB_RSAKEY_INFO,
> TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT,
> exponentLen,
> exponent);
> DBG("Set public key exponent", result);
> result = Tspi_SetAttribData(hKey,
> TSS_TSPATTRIB_RSAKEY_INFO,
> TSS_TSPATTRIB_KEYINFO_RSA_MODULUS,
> modulusLen,
> modulus);
> DBG("Set public key modulus", result);
> result = Tspi_Key_LoadKey(hKey, tpm.hSRK);
> DBG("Load key into TPM", result);
> result = Tspi_Key_GetPubKey(hKey, &pubKeySize, &pubKeyByte);
> DBG("Get public key blob", result);
> return pubKeySize;
> }
> The errors i got from the above code are:
> Load key into TPM returned 0x00000028. Unsupported key parameters.
> Get public key blob returned 0x0000310e. The addressed key is not
> currently loaded.
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://makebettercode.com/inteldaal-eval
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
