[TrouSerS-users] Converting a TPM key into RSA struct for OpenSSL

Discussion:

eye two are

2016-03-23 04:12:14 UTC

Hi, i am trying to convert a TPM key which i obtained from a particular
UUID into an RSA struct to be used with OpenSSL. Does anyone have any
example code on how to do it?

Tadd Seiff

2016-03-24 00:40:16 UTC

Permalink

I only have a few minutes and can't guarantee this is complete or tested,
but maybe it will help.

All you really need is the modulus and exponent from the key. You get
these via "GetAttribData" in trousers:

tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &m_size, &m);

tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT, &e_size, &e);

Then something like this:

RSA *rsa = RSA_new();
rsa->e = BN_bin2bn(e, e_size, rsa->e);
rsa->n = BN_bin2bn(m, m_size, rsa->n);

-Tadd

Post by eye two are
Hi, i am trying to convert a TPM key which i obtained from a particular
UUID into an RSA struct to be used with OpenSSL. Does anyone have any
example code on how to do it?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users

eye two are

2016-03-24 07:16:06 UTC

Permalink

But this (assuming it works) will only create a public key. I want to use
the private key with OpenSSL.

Post by Tadd Seiff
I only have a few minutes and can't guarantee this is complete or tested,
but maybe it will help.
All you really need is the modulus and exponent from the key. You get
tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &m_size, &m);
tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT, &e_size, &e);
RSA *rsa = RSA_new();
rsa->e = BN_bin2bn(e, e_size, rsa->e);
rsa->n = BN_bin2bn(m, m_size, rsa->n);
-Tadd

Dmitri Toubelis

2016-03-24 14:39:41 UTC

Permalink

Currently, tpmengine require blob of the public key in the file in order to load matching private key and I think this is the only option. So, unless you want to fiddle with tmpengine internals this is your only option.
----- Original Message -----

Sent: Thursday, March 24, 2016 10:16:37 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
Hi thanks for the reply, i am actually currently using the tpmengine
with OpenSSL but i cant seem to do it without first saving the key
into a file first and then load the file into the engine with the
ENGINE_load_private_key function. I am probably missing something,
so do you know how i can do it without saving the key into a file?
Any example of the code?
On Thu, Mar 24, 2016 at 9:43 PM, Dmitri Toubelis <

Sent: Thursday, March 24, 2016 3:16:06 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA
struct
for OpenSSL
But this (assuming it works) will only create a public key. I
want
to
use the private key with OpenSSL.

Post by Tadd Seiff
I only have a few minutes and can't guarantee this is complete
or
tested, but maybe it will help.
All you really need is the modulus and exponent from the key.
You
get

Post by Tadd Seiff
tss_result = Tspi_GetAttribData(hBind_Key,
TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &m_size, &m);
tss_result = Tspi_GetAttribData(hBind_Key,
TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT, &e_size, &e);
RSA *rsa = RSA_new();
rsa->e = BN_bin2bn(e, e_size, rsa->e);
rsa->n = BN_bin2bn(m, m_size, rsa->n);

-Tadd
On Tue, Mar 22, 2016 at 9:12 PM eye two are <

Post by Tadd Seiff
Hi, i am trying to convert a TPM key which i obtained from a
particular UUID into an RSA struct to be used with OpenSSL.
Does
anyone have any example code on how to do it?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users

eye two are

2016-03-24 14:45:45 UTC

Permalink

So do you mean that when i save the blob only the public part will be in
the file and not the private part of the key?

On Thu, Mar 24, 2016 at 10:39 PM, Dmitri Toubelis <

Post by Dmitri Toubelis
Currently, tpmengine require blob of the public key in the file in order
to load matching private key and I think this is the only option. So,
unless you want to fiddle with tmpengine internals this is your only option.
------------------------------
*Sent: *Thursday, March 24, 2016 10:16:37 AM
*Subject: *Re: [TrouSerS-users] Converting a TPM key into RSA struct for
OpenSSL
Hi thanks for the reply, i am actually currently using the tpmengine with
OpenSSL but i cant seem to do it without first saving the key into a file
first and then load the file into the engine with
the ENGINE_load_private_key function. I am probably missing something, so
do you know how i can do it without saving the key into a file? Any example
of the code?
On Thu, Mar 24, 2016 at 9:43 PM, Dmitri Toubelis <

The whole idea behind TPM that you not supposed to do that but there are
always exceptions. You may be able to extract private key from TPM if it
has MIGRATABLE and LEGACY attributes. And then export it and convert into
OpenSSL key.
There is also another option. You could use `tpmengine` with OpenSSL to
do what you need without violating security. I personally use this approach
but tpmengine requies the key to be created in a very specific way, so I
ended up modifying engine code to fit my requirements.
------------------------------
*Sent: *Thursday, March 24, 2016 3:16:06 AM
*Subject: *Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
But this (assuming it works) will only create a public key. I want to use
the private key with OpenSSL.

Post by Tadd Seiff
I only have a few minutes and can't guarantee this is complete or
tested, but maybe it will help.
All you really need is the modulus and exponent from the key. You get
tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &m_size, &m);
tss_result = Tspi_GetAttribData(hBind_Key, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT, &e_size, &e);
RSA *rsa = RSA_new();
rsa->e = BN_bin2bn(e, e_size, rsa->e);
rsa->n = BN_bin2bn(m, m_size, rsa->n);
-Tadd

Dmitri Toubelis

2016-03-24 14:52:11 UTC

Permalink

Not exactly but for all practical purposes you can think of it this way. The file contains wrapped key that can only be unwrapped by TPM using SRK, so it is completely useless for any purpose outside TPM since there is no way to extract SRK from TPM.
----- Original Message -----

Sent: Thursday, March 24, 2016 10:45:45 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
So do you mean that when i save the blob only the public part will be
in the file and not the private part of the key?
On Thu, Mar 24, 2016 at 10:39 PM, Dmitri Toubelis <

Sent: Thursday, March 24, 2016 10:16:37 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
Hi thanks for the reply, i am actually currently using the
tpmengine
with OpenSSL but i cant seem to do it without first saving the key
into a file first and then load the file into the engine with the
ENGINE_load_private_key function. I am probably missing
something,
so do you know how i can do it without saving the key into a file?
Any example of the code?
On Thu, Mar 24, 2016 at 9:43 PM, Dmitri Toubelis <

Sent: Thursday, March 24, 2016 3:16:06 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
But this (assuming it works) will only create a public key. I
want
to
use the private key with OpenSSL.
On Thu, Mar 24, 2016 at 8:40 AM, Tadd Seiff <

Post by Tadd Seiff
I only have a few minutes and can't guarantee this is complete
or
tested, but maybe it will help.
All you really need is the modulus and exponent from the key.
You
get

-Tadd
On Tue, Mar 22, 2016 at 9:12 PM eye two are <

Post by Tadd Seiff
Hi, i am trying to convert a TPM key which i obtained
from
a
particular UUID into an RSA struct to be used with
OpenSSL.
Does
anyone have any example code on how to do it?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users

Dmitri Toubelis

2016-03-24 15:05:21 UTC

Permalink

Actually this is not 100% correct. TSS API has function to find key by a BLOB, so whatever is stored in this file is that BLOB. So, what is in this BLOB I'm not 100% sure but I assume it is wrapped key. In fact, the modifications I made to tpmengine was for loading key by UUID, so I would store UUID of the key in this file instead that is more readable.
----- Original Message -----

Sent: Thursday, March 24, 2016 10:52:11 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
Not exactly but for all practical purposes you can think of it this
way. The file contains wrapped key that can only be unwrapped by TPM
using SRK, so it is completely useless for any purpose outside TPM
since there is no way to extract SRK from TPM.
----- Original Message -----

Sent: Thursday, March 24, 2016 10:16:37 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
Hi thanks for the reply, i am actually currently using the tpmengine
with OpenSSL but i cant seem to do it without first saving the key
into a file first and then load the file into the engine with the
ENGINE_load_private_key function. I am probably missing
something,
so do you know how i can do it without saving the key into a file?
Any example of the code?
On Thu, Mar 24, 2016 at 9:43 PM, Dmitri Toubelis <

Sent: Thursday, March 24, 2016 3:16:06 AM
Subject: Re: [TrouSerS-users] Converting a TPM key into RSA struct
for OpenSSL
But this (assuming it works) will only create a public key. I
want
to
use the private key with OpenSSL.
On Thu, Mar 24, 2016 at 8:40 AM, Tadd Seiff <

Post by Tadd Seiff
I only have a few minutes and can't guarantee this is complete
or
tested, but maybe it will help.
All you really need is the modulus and exponent from the key.
You
get

-Tadd
On Tue, Mar 22, 2016 at 9:12 PM eye two are <

Post by Tadd Seiff
Hi, i am trying to convert a TPM key which i obtained
from
a
particular UUID into an RSA struct to be used with OpenSSL.
Does
anyone have any example code on how to do it?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users

eye two are

2016-03-24 07:14:25 UTC

Permalink

Yes the TPM created the key. I can make it migratable or non-migratable,
depending on which one is required for it to work. I want to use the
private key with openSSL.

On Thu, Mar 24, 2016 at 3:03 AM, David Challener <

You need to provide more details.
DId the TPM create the key? Was it migratable or non-migratable? DId you
want to use the public key with openSSL or the private key?

Ken Goldman

2016-03-24 13:41:31 UTC

Permalink

Post by eye two are
Yes the TPM created the key. I can make it migratable or non-migratable,
depending on which one is required for it to work. I want to use the
private key with openSSL.

eye two are

2016-03-24 14:25:44 UTC

Permalink

Sorry i don't get how i could achieve that programatically, are there any
code snippets i could refer to?

Post by Ken Goldman

Post by eye two are
Yes the TPM created the key. I can make it migratable or non-migratable,
depending on which one is required for it to work. I want to use the
private key with openSSL.

Migrate the key to a software TPM. Then extract the private key and
create the RSA structure as posted.
Or, a bit more coding but maybe less maintenance, migrate the key to an
openssl key pair you generate, then decrypt the private key.
A TPM non-migratable key, by design, keeps the private key hidden.
~~
Of course, I wonder about the high level design. If you want the
private key outside the TPM, why not just generate it outside the TPM?
You can always import it into the TPM - but again, why?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users