Skip to content

How does tpm2-tss-engine generate a CSR, specifically the detailed process? #289

@bronzeMe

Description

@bronzeMe
  • Command 1: tpm2tss generates a csr by using the persistent handle
    openssl req -new -engine tpm2tss -keyform engine -out client.csr -key 0x81010003
  • Command 2: OpenSSL natively generates a CSR using openssl req -new -key client.key -out client.csr -subj "/CN=TPM AK
  • For command 2, OpenSSL first constructs an unsigned CSR structure (extracting the public key information from the private key and filling the public key as a field in the CSR), then uses the private key to sign the CSR, and finally outputs a signed CSR.
  • For command 1, I understand that we can only obtain the public key from the TPM handler. How does the tpm2-tss-engine source code construct an unsigned CSR with only the public key, given that the private key cannot be retrieved from the TPM? My understanding is that it first exports the public key from the TPM handler to construct a CSR to be signed, and then calls the TPM's signing function to sign this unsigned CSR. Our goal is to understand and learn how to manually construct a CSR structure to be signed using only the public key.

Thanks a lot.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions