What we try to do:
We try to use curl to create an https connection to backend by using TPM2 with internal key.
The only way sems to use an PKCS11-URI like
"pkcs11:model=SLB9670%00;manufacturer=Infineon;serial=00;token=tokenname"
in --key attribute.
OpenSSL need to work with TMP2 an handle like handle:0x81000000 The handles address the key to use. For internal TPM2 keys it seem only have handles.
Q1: It is possible to use curl with handles like OpenSSL?
Q2: What we can do to realize our usecase?
What we have already do:
We have create rsa key into TPM2 based on examples from: github -> tpm2-openssl
tpm2_clear
# create ek
tpm2_createprimary -c ek.ctx -C o
# create a default key
tpm2_create \
-C ek.ctx \
-u "$(hostname)".pub \
-G rsa2048 \
-g sha256 \
-p "${PASSWORD}" \
-r "$(hostname)".priv \
-c "$(hostname)".ctx
# Persist and catch handle
HANDLE=$(tpm2_evictcontrol -c "$(hostname)".ctx | cut -d ' ' -f 2 | head -n 1)
With the HANDLE (in our case 0x81000000) we can use openssl to create an CSR:
OPENSSL_CONF="/root/openssl.cnf" \
openssl req \
-new \
-sha256 \
-provider tpm2 \
-provider default \
-propquery "?provider=tpm2" \
-key handle:"${HANDLE}"?pass \
-passin pass:"${PASSWORD}" \
-subj "/CN=$(hostname)" \
-addext "keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment" \
-addext "extendedKeyUsage=clientAuth,codeSigning" \
-out "$(hostname)".csr
Also we can sign and decrypt data:
OPENSSL_CONF="/root/openssl.cnf" \
openssl pkeyutl \
-sign \
-provider tpm2 \
-provider default \
-inkey handle:"${HANDLE}"?pass \
-passin pass:"${PASSWORD}" \
-rawin \
-digest SHA-256 \
-in "${TOSIGN}" \
-out "${TOVERIFY}"
OPENSSL_CONF="/root/openssl.cnf" \
openssl pkeyutl \
-decrypt \
-provider tpm2 \
-inkey handle:"${HANDLE}"?pass \
-passin pass:"${PASSWORD}" \
-in "${TODECRYPT}" \
-out "${PLAIN}"
With OpenSSL s_client and s_server we can create an SSL connection.
openssl s_server \
-key "${DEVICE_PRIVATE_KEY}" \
-cert "${DEVICE_CERTIFICATE}" \
-CAfile "${DEVICE_CERTIFICATE}" \
-accept 44330 \
-tls1_3 \
-tlsextdebug \
-www
openssl s_client \
-connect "$(hostname)":44330 \
-tls1_3 \
-showcerts \
-cert "/root/ClientCertificate.pem" \
-CAfile "${DEVICE_CERTIFICATE}" \
-key handle:0x81000000?pass \
-pass pass:"${PASSWORD}" \
-verify 1 \
-provider tpm2 \
-provider default \
-propquery "?provider=tpm2" \
DEVICE_CERTIFICATE = Self signed server certificate
ClientCertificate.pem -> "$(hostname).csr" is signed by PrivateKey of DEVICE_CERTIFICATE
So curl is build with OpenSSL support we expect that we can also create an secure connection. The most informations about this topic are several year ago and seem not valid.
We have also try to comprehend the follow but without success. Can libcurl use tpm2-tss-engine for TLS connexions?
System: Ubuntu 22.04
Linux hostname 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
curl --engine list
Build-time engines:
rdrand
dynamic
pkcs11
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
openssl engine -t
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(pkcs11) pkcs11 engine
[ available ]