Merge pull request #360 from dgarske/get_ek_certs

Support for getting TPM EK Certificates

Author: embhorn

.gitignore

@@ -79,6 +79,7 @@ examples/boot/secret_seal
 examples/boot/secret_unseal
 examples/firmware/ifx_fw_extract
 examples/firmware/ifx_fw_update
+examples/endorsement/get_ek_certs
 
 # Generated Cert Files
 certs/ca-*.pem

README.md

@@ -34,6 +34,7 @@ Portable TPM 2.0 project designed for embedded use.
 * Parameter encryption support using AES-CFB or XOR.
 * Support for salted unbound authenticated sessions.
 * Support for HMAC Sessions.
+* Support for reading Endorsement certificates (EK Credential Profile).
 
 Note: See [examples/README.md](examples/README.md) for details on using the examples.
 
@@ -168,7 +169,7 @@ make install
 # then for some other library such as wolfTPM:
 
 # cd /your-wolftpm-repo
-./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin 
+./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin
 ```
 
 ### Build options and defines
@@ -823,9 +824,15 @@ Connection: close
 ```
 
 
+### TPM Endorsement Key Certificates
+
+The TCG EK Credential Profile defines how manufacturers provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE).
+The `get_ek_certs` example shows how to retrieve those EK cerificates, validate them and create a primary EK handle for signing.
+See `./examples/endorsement/get_ek_certs`.
+
+
 ## Todo
 
-* Add support for Endorsement certificates (EK Credential Profile).
 * Update to v1.59 of specification (adding CertifyX509).
 * Inner wrap support for SensitiveToPrivate.
 * Add support for IRQ (interrupt line)

examples/endorsement/README.md

@@ -0,0 +1,46 @@
+# TPM Endorsement Certificates
+
+TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement.
+
+The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region.
+
+We have loaded some of the root and intermediate CA's into the trusted_certs.h file.
+
+## Example Detail
+
+1) Get handles in the TCG NV range using `wolfTPM2_GetHandles` with `TPM_20_TCG_NV_SPACE`.
+2) Get size of the certificate by reading the public NV information using `wolfTPM2_NVReadPublic`.
+3) Read the NV data (certificate DER/ASN.1) from the NV index using `wolfTPM2_NVReadAuth`.
+4) Get the EK public template using the NV index by calling `wolfTPM2_GetKeyTemplate_EKIndex` or `wolfTPM2_GetKeyTemplate_EK`.
+5) Create the primary endorsement key with public template and TPM_RH_ENDORSEMENT hierarchy using `wolfTPM2_CreatePrimaryKey`.
+6) Parse the ASN.1/DER certificate using `wc_ParseCert` to extract issuer, serial number, etc...
+7) The URI for the CA issuer certificate can be obtained in `extAuthInfoCaIssuer`.
+8) Import the certificate public key and compare it against the primary EK public unique area.
+9) Use the wolfSSL Certificate Manager to validate the EK certificate. Trusted certificates are loaded using `wolfSSL_CertManagerLoadCABuffer` and the EK certificate is validated using `wolfSSL_CertManagerVerifyBuffer`.
+10) Optionally covert to PEM and export using `wc_DerToPem`.
+
+## Example certificate chains
+
+### Infineon SLB9672
+
+Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number):
+
+https://pki.infineon.com/OptigaRsaMfrCAxxx/OptigaRsaMfrCAxxx.crt
+https://pki.infineon.com/OptigaEccMfrCAxxx/OptigaEccMfrCAxxx.crt
+
+
+Examples:
+
+- Infineon OPTIGA(TM) RSA Root CA 2
+  - Infineon OPTIGA(TM) TPM 2.0 RSA CA 059
+- Infineon OPTIGA(TM) ECC Root CA 2
+  - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059
+
+### STMicro ST33KTPM
+
+Example:
+
+- STSAFE RSA root CA 02 (http://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt)
+  - STSAFE-TPM RSA intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmrsaint10.crt)
+- STSAFE ECC root CA 02 (http://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt)
+  - STSAFE-TPM ECC intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmeccint10.crt)

examples/endorsement/endorsement.h

@@ -0,0 +1,35 @@
+/* endorsement.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef _WOLFTPM_ENDORSEMENT_H_
+#define _WOLFTPM_ENDORSEMENT_H_
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]);
+
+#ifdef __cplusplus
+    }  /* extern "C" */
+#endif
+
+#endif /* _WOLFTPM_ENDORSEMENT_H_ */