Package: tpm2-openssl
Version: 1.1.1-1
Severity: important
In order to use tpm to store TLS keys, the key type must be usable for TLS. If,
the ecc algo family cannot be used, this has to be RSA-PSS. RSA-PSS keys can be
created with tpm2-tools and appear to function correctly outside openssl. Trying
to generate an openssl cert request with invalid padding.
How to reproduce:
tpm2_createek -G rsa -c ek_pss.ctx
tpm2_createak -C ek_pss.ctx -G rsa -g sha256 -s pss -c ak_ecc.ctx
tpm2_evictcontrol -c ak_ecc.ctx 0x81000001
OPENSSL_CONF=./openssl.cnf openssl req -provider tpm2 -provider default \
-propquery '?provider=tpm2' -key handle:0x81000001 -out testcsr.pem -new
The resulting csr has invalid padding (200+ bytes instead of 32) and is rejected
if passed to a CA
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-13-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages tpm2-openssl depends on:
ii libc6 2.36-9+deb12u4
ii libtss2-esys-3.0.2-0 3.2.1-3
ii libtss2-rc0 3.2.1-3
ii libtss2-tctildr0 3.2.1-3
tpm2-openssl recommends no packages.
tpm2-openssl suggests no packages.
-- no debconf information
