libcurl: how to use TPM private key for mutual SSL authentication
Question
I use the C libcurl library. I need to do OCSP stapling combined with mutual authentication. For that, I'll take model on the below exemples. However, I need the private key of my client certificate to be stored in the TPM chip. Do you know how to do that, using tpm2-tss-engine? Thanks for your help.
https://curl.haxx.se/libcurl/c/smtp-ssl.html https://curl.haxx.se/libcurl/c/CURLOPT_SSLCERT.html
1 answers
solution1
2 2020-05-21 22:19:41
I was able use a key stored in TPM with openssl s_client (maybe it is possible with curl), but am able to make a HTTPS request and receive a response.
openssl allows you to read the key from the TPM. you can use the command s_client to connect via a TCP, then send your HTTP request.
Example command would look like:
File: http_request.txt (with two newlines at the end)
GET /url/path HTTP/1.0
Host: hostname.com
cat http_request.txt | \
openssl s_client \
-nocommands \
-ign_eof \
-msgfile /dev/null \
-quiet \
-keyform engine \
-engine pkcs11 \
-cert mycertificate.pem \
-CAfile root.ca.pem \
-key 'pkcs11:model=SWTPM;manufacturer=Intel;token=mytoken;object=myobject;type=private;pin-value=mypin' \
-connect hostname.com:443
This allows me to use TPM to make requests to AWS IoT: iot:AssumeRoleWithCertificate which assumes the key is a file on disk: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.