From 57f12df97b2ab2083086aa2a821730ec5b7fc651 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 26 Jul 2024 13:02:57 -0700 Subject: [PATCH 1/3] Support for getting TPM EK Certificates. Added `wolfTPM2_GetKeyTemplate_EK` and `wolfTPM2_GetKeyTemplate_EK` API's for getting EK public templates for generating the EK primary key. Fix TLS example build issues with wolfSSL not having crypto callback or PK callback enabled. --- .gitignore | 1 + README.md | 4 +- examples/endorsement/README.md | 31 ++ examples/endorsement/endorsement.h | 35 +++ examples/endorsement/get_ek_certs.c | 414 +++++++++++++++++++++++++++ examples/endorsement/include.am | 20 ++ examples/endorsement/trusted_certs.h | 300 +++++++++++++++++++ examples/include.am | 1 + examples/nvram/read.c | 31 +- examples/run_examples.sh | 7 + examples/tls/tls_client.c | 6 +- examples/tls/tls_server.c | 6 +- src/tpm2.c | 9 +- src/tpm2_wrap.c | 170 +++++++++-- wolftpm/tpm2.h | 69 ++++- wolftpm/tpm2_wrap.h | 46 ++- 16 files changed, 1093 insertions(+), 57 deletions(-) create mode 100644 examples/endorsement/README.md create mode 100644 examples/endorsement/endorsement.h create mode 100644 examples/endorsement/get_ek_certs.c create mode 100644 examples/endorsement/include.am create mode 100644 examples/endorsement/trusted_certs.h diff --git a/.gitignore b/.gitignore index 4f91a105..0ce2eb97 100644 --- a/.gitignore +++ b/.gitignore @@ -79,6 +79,7 @@ examples/boot/secret_seal examples/boot/secret_unseal examples/firmware/ifx_fw_extract examples/firmware/ifx_fw_update +examples/endorsement/get_ek_certs # Generated Cert Files certs/ca-*.pem diff --git a/README.md b/README.md index af56a8ea..8a9835de 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ Portable TPM 2.0 project designed for embedded use. * Parameter encryption support using AES-CFB or XOR. * Support for salted unbound authenticated sessions. * Support for HMAC Sessions. +* Support for reading Endorsement certificates (EK Credential Profile). Note: See [examples/README.md](examples/README.md) for details on using the examples. @@ -168,7 +169,7 @@ make install # then for some other library such as wolfTPM: # cd /your-wolftpm-repo -./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin +./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin ``` ### Build options and defines @@ -825,7 +826,6 @@ Connection: close ## Todo -* Add support for Endorsement certificates (EK Credential Profile). * Update to v1.59 of specification (adding CertifyX509). * Inner wrap support for SensitiveToPrivate. * Add support for IRQ (interrupt line) diff --git a/examples/endorsement/README.md b/examples/endorsement/README.md new file mode 100644 index 00000000..47989946 --- /dev/null +++ b/examples/endorsement/README.md @@ -0,0 +1,31 @@ +# TPM Endorsement Certificates + +The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region. + +TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement. + +We have loaded some of the root and intermediate CA's into the trusted_certs.h file. + +## Infineon SLB9672 EK Certificate Chain + +Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number): + +https://pki.infineon.com/OptigaRsaMfrCAxxx/OptigaRsaMfrCAxxx.crt +https://pki.infineon.com/OptigaEccMfrCAxxx/OptigaEccMfrCAxxx.crt + + +Examples: + +- Infineon OPTIGA(TM) RSA Root CA 2 + - Infineon OPTIGA(TM) TPM 2.0 RSA CA 059 +- Infineon OPTIGA(TM) ECC Root CA 2 + - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059 + +## STMicro ST33KTPM EK Certificate Chain + +Example: + +- STSAFE RSA root CA 02 (http://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt) + - STSAFE-TPM RSA intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmrsaint10.crt) +- STSAFE ECC root CA 02 (http://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt) + - STSAFE-TPM ECC intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmeccint10.crt) diff --git a/examples/endorsement/endorsement.h b/examples/endorsement/endorsement.h new file mode 100644 index 00000000..04787e13 --- /dev/null +++ b/examples/endorsement/endorsement.h @@ -0,0 +1,35 @@ +/* endorsement.h + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfTPM. + * + * wolfTPM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfTPM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _WOLFTPM_ENDORSEMENT_H_ +#define _WOLFTPM_ENDORSEMENT_H_ + +#ifdef __cplusplus + extern "C" { +#endif + +int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]); + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* _WOLFTPM_ENDORSEMENT_H_ */ diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c new file mode 100644 index 00000000..a980e57a --- /dev/null +++ b/examples/endorsement/get_ek_certs.c @@ -0,0 +1,414 @@ +/* get_ek_certs.c + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfTPM. + * + * wolfTPM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfTPM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* This example shows how to decrypt a credential for Remote Attestation + * and extract the secret for challenge response to an attestation server + */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include + +#include + +#ifndef WOLFTPM2_NO_WRAPPER + +#include +#include + +#ifndef WOLFTPM2_NO_WOLFCRYPT + #include + #include "trusted_certs.h" +#endif + +/******************************************************************************/ +/* --- BEGIN TPM2.0 Endorsement certificate tool -- */ +/******************************************************************************/ + +#ifndef MAX_CERT_SZ +#define MAX_CERT_SZ 2048 +#endif + +static void usage(void) +{ + printf("Expected usage:\n"); + printf("./examples/endorsement/get_ek_certs\n"); +} + +static void dump_hex_bytes(const byte* buf, word32 sz) +{ + word32 i; + /* Print as : separated hex bytes - max 15 bytes per line */ + printf("\t"); + for (i=0; i0 && ((i+1)%16)==0) printf("\n\t"); + } + } + printf("\n"); +} + +/* Display EK public information */ +static void show_ek_public(const TPM2B_PUBLIC* pub) +{ + printf("EK %s, Hash: %s, objAttr: 0x%X\n", + TPM2_GetAlgName(pub->publicArea.type), + TPM2_GetAlgName(pub->publicArea.nameAlg), + (unsigned int)pub->publicArea.objectAttributes); + + /* parameters and unique field depend on algType */ + if (pub->publicArea.type == TPM_ALG_RSA) { + printf("\tKeyBits: %d, exponent: 0x%X, unique size %d\n", + pub->publicArea.parameters.rsaDetail.keyBits, + (unsigned int)pub->publicArea.parameters.rsaDetail.exponent, + pub->publicArea.unique.rsa.size); + dump_hex_bytes(pub->publicArea.unique.rsa.buffer, + pub->publicArea.unique.rsa.size); + } + else if (pub->publicArea.type == TPM_ALG_ECC) { + const char* curveName = "NULL"; + #ifndef WOLFTPM2_NO_WOLFCRYPT + curveName = wc_ecc_get_name( + TPM2_GetWolfCurve(pub->publicArea.parameters.eccDetail.curveID)); + #endif + printf("\tCurveID %s (0x%x), size %d, unique X/Y size %d/%d\n", + curveName, pub->publicArea.parameters.eccDetail.curveID, + TPM2_GetCurveSize(pub->publicArea.parameters.eccDetail.curveID), + pub->publicArea.unique.ecc.x.size, + pub->publicArea.unique.ecc.y.size); + dump_hex_bytes(pub->publicArea.unique.ecc.x.buffer, + pub->publicArea.unique.ecc.x.size); + dump_hex_bytes(pub->publicArea.unique.ecc.y.buffer, + pub->publicArea.unique.ecc.y.size); + } +} + +#ifndef WOLFTPM2_NO_WOLFCRYPT +static int compare_ek_public(const TPM2B_PUBLIC* ekpub, + const TPM2B_PUBLIC* certpub) +{ + int rc = -1; + if (ekpub->publicArea.type == TPM_ALG_RSA) { + if (ekpub->publicArea.unique.rsa.size == + certpub->publicArea.unique.rsa.size) { + rc = XMEMCMP(ekpub->publicArea.unique.rsa.buffer, + certpub->publicArea.unique.rsa.buffer, + ekpub->publicArea.unique.rsa.size); + } + } + else if (ekpub->publicArea.type == TPM_ALG_ECC) { + if (ekpub->publicArea.parameters.eccDetail.curveID == + certpub->publicArea.parameters.eccDetail.curveID && + ekpub->publicArea.unique.ecc.x.size == + certpub->publicArea.unique.ecc.x.size && + ekpub->publicArea.unique.ecc.y.size == + certpub->publicArea.unique.ecc.y.size) { + rc = XMEMCMP(ekpub->publicArea.unique.ecc.x.buffer, + certpub->publicArea.unique.ecc.x.buffer, + ekpub->publicArea.unique.ecc.x.size); + if (rc == 0) { + rc = XMEMCMP(ekpub->publicArea.unique.ecc.y.buffer, + certpub->publicArea.unique.ecc.y.buffer, + ekpub->publicArea.unique.ecc.y.size); + } + } + } + return rc; +} +#endif + +int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) +{ + int rc = -1, nvIdx; + WOLFTPM2_DEV dev; + TPML_HANDLE handles; + TPMS_NV_PUBLIC nvPublic; + WOLFTPM2_NV nv; + WOLFTPM2_KEY endorse; + WOLFTPM2_KEY certPubKey; + uint8_t certBuf[MAX_CERT_SZ]; + uint32_t certSz; + TPMT_PUBLIC publicTemplate; + word32 nvIndex; +#ifndef WOLFTPM2_NO_WOLFCRYPT + int i; + #ifndef WOLFCRYPT_ONLY + WOLFSSL_CERT_MANAGER* cm = NULL; + #endif + DecodedCert cert; + #ifdef WOLFSSL_DER_TO_PEM + char* pem = NULL; + word32 pemSz = 0; + #endif +#endif + + XMEMSET(&endorse, 0, sizeof(endorse)); + XMEMSET(&handles, 0, sizeof(handles)); + XMEMSET(&nvPublic, 0, sizeof(nvPublic)); + XMEMSET(&certPubKey, 0, sizeof(certPubKey)); + + if (argc >= 2) { + if (XSTRCMP(argv[1], "-?") == 0 || + XSTRCMP(argv[1], "-h") == 0 || + XSTRCMP(argv[1], "--help") == 0) { + usage(); + return 0; + } + } + + printf("Get Endorsement Certificate(s)\n"); + + rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); + if (rc != TPM_RC_SUCCESS) { + printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); + goto exit; + } + + /* List TCG stored handles */ + rc = wolfTPM2_GetHandles(TPM_20_TCG_NV_SPACE, &handles); + if (rc < 0) { + goto exit; + } + rc = 0; + printf("Found %d TCG handles\n", handles.count); + +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) + /* load trusted certificates to cert manager */ + certSz = 0; + cm = wolfSSL_CertManagerNew(); + if (cm != NULL) { + for (i=0; i<(int)(sizeof(trusted_certs)/sizeof(const char*)); i++) { + const char* pemCert = trusted_certs[i]; + rc = wolfSSL_CertManagerLoadCABuffer(cm, + (const unsigned char*)pemCert, XSTRLEN(pemCert), + WOLFSSL_FILETYPE_PEM); + if (rc == WOLFSSL_SUCCESS) { + certSz++; + rc = 0; + } + else { + printf("Warning: Failed to load trusted PEM at index %d\n", i); + /* not fatal, continue loading trusted certs */ + } + } + printf("Loaded %d trusted certificates\n", certSz); + } + else { + printf("Warning: Failed to setup a trusted certificate manager\n"); + } +#endif + + for (nvIdx=0; nvIdx<(int)handles.count; nvIdx++) { + nvIndex = handles.handle[nvIdx]; + + printf("TCG Handle 0x%x\n", nvIndex); + + /* Read Public portion of NV */ + rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic); + if (rc != 0) { + printf("Failed to read public for NV Index 0x%08x\n", nvIndex); + continue; + } + + /* Read data */ + XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */ + XMEMSET(certBuf, 0, sizeof(certBuf)); + certSz = (uint32_t)sizeof(certBuf); + if (certSz > nvPublic.dataSize) { + certSz = nvPublic.dataSize; + } + rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0); + if (rc == 0) { + #ifdef DEBUG_WOLFTPM + printf("EK Data: %d\n", certSz); + TPM2_PrintBin(certBuf, certSz); + #endif + } + + /* Create Endorsement Key */ + if (rc == 0) { + /* Get Endorsement Public Key template using NV index */ + rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate); + if (rc != 0) { + printf("EK Index 0x%08x not valid\n", nvIndex); + rc = BAD_FUNC_ARG; + } + } + if (rc == 0) { + /* Create Endorsement Key using EK auth policy */ + printf("Creating Endorsement Key\n"); + rc = wolfTPM2_CreatePrimaryKey(&dev, &endorse, TPM_RH_ENDORSEMENT, + &publicTemplate, NULL, 0); + if (rc != 0) goto exit; + printf("Endorsement key loaded at handle 0x%08x\n", + endorse.handle.hndl); + + /* Display EK public information */ + show_ek_public(&endorse.pub); + } + + #ifndef WOLFTPM2_NO_WOLFCRYPT + if (rc == 0) { + /* Attempt to parse certificate */ + printf("Parsing certificate (%d bytes)\n", certSz); + wc_InitDecodedCert(&cert, certBuf, certSz, NULL); + rc = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + if (rc == 0) { + printf("\tSuccessfully parsed\n"); + + #if defined(WOLFSSL_ASN_CA_ISSUER) || \ + defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + /* print the "Authority Information Access" for accessing + * CA Issuers */ + if (cert.extAuthInfoCaIssuerSz > 0) { + printf("CA Issuers: %.*s\n", + cert.extAuthInfoCaIssuerSz, cert.extAuthInfoCaIssuer); + } + #endif + + if (cert.serialSz > 0) { + if (cert.serialSz == 4) { + /* serial number is 32-bits */ + word32 serial; + XMEMCPY(&serial, cert.serial, cert.serialSz); + #ifndef BIG_ENDIAN_ORDER + serial = ByteReverseWord32(serial); + #endif + printf("Serial Number: %08u (0x%08x)\n", + serial, serial); + } + else { + /* Print serial as : separated hex bytes */ + printf("Serial Number (%d bytes)\n", cert.serialSz); + dump_hex_bytes(cert.serial, cert.serialSz); + } + } + + /* Import certificate public key */ + rc = wolfTPM2_ImportPublicKeyBuffer(&dev, + endorse.pub.publicArea.type, &certPubKey, + ENCODING_TYPE_ASN1, + (const char*)cert.publicKey, cert.pubKeySize, + endorse.pub.publicArea.objectAttributes + ); + if (rc == 0) { + /* compare public unique areas */ + if (compare_ek_public(&endorse.pub, &certPubKey.pub) == 0) { + printf("Cert public key and EK public match\n"); + } + else { + printf("Error: Cert public key != EK public!\n"); + show_ek_public(&certPubKey.pub); + } + } + else { + printf("Error importing certificates public key! %d\n", rc); + } + } + else { + printf("Error parsing certificate 0x%x: %s\n", + rc, TPM2_GetRCString(rc)); + } + wc_FreeDecodedCert(&cert); + + #ifndef WOLFCRYPT_ONLY + if (rc == 0) { + /* Validate EK certificate against trusted certificates */ + rc = wolfSSL_CertManagerVerifyBuffer(cm, certBuf, certSz, + WOLFSSL_FILETYPE_ASN1); + printf("EK Certificate is %s\n", + (rc == WOLFSSL_SUCCESS) ? "VALID" : "INVALID"); + } + #endif + + #ifdef WOLFSSL_DER_TO_PEM + /* Convert certificate to PEM and display */ + rc = wc_DerToPemEx(certBuf, certSz, NULL, 0, NULL, CERT_TYPE); + if (rc > 0) { + pemSz = (word32)rc; + rc = 0; + + pemSz++; /* for '\0'*/ + pem = (char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + rc = MEMORY_E; + } + } + if (rc == 0) { + XMEMSET(pem, 0, pemSz); + rc = wc_DerToPem(certBuf, certSz, (byte*)pem, pemSz, CERT_TYPE); + if (rc > 0) { + rc = 0; + } + } + if (rc == 0) { + printf("Endorsement Cert PEM\n"); + puts(pem); + } + #endif /* WOLFSSL_DER_TO_PEM */ + } + #endif /* !WOLFTPM2_NO_WOLFCRYPT */ + + wolfTPM2_UnloadHandle(&dev, &endorse.handle); + XMEMSET(&endorse, 0, sizeof(endorse)); + } + +exit: + +#ifndef WOLFTPM2_NO_WOLFCRYPT + #ifdef WOLFSSL_DER_TO_PEM + XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + #ifndef WOLFCRYPT_ONLY + wolfSSL_CertManagerFree(cm); + #endif +#endif + wolfTPM2_UnloadHandle(&dev, &endorse.handle); + wolfTPM2_Cleanup(&dev); + + return rc; +} + +/******************************************************************************/ +/* --- END TPM2.0 Endorsement certificate tool -- */ +/******************************************************************************/ +#endif /* !WOLFTPM2_NO_WRAPPER */ + +#ifndef NO_MAIN_DRIVER +int main(int argc, char *argv[]) +{ + int rc = -1; + +#ifndef WOLFTPM2_NO_WRAPPER + rc = TPM2_EndorsementCert_Example(NULL, argc, argv); +#else + printf("Wrapper code not compiled in\n"); + (void)argc; + (void)argv; +#endif /* !WOLFTPM2_NO_WRAPPER */ + + return rc; +} +#endif diff --git a/examples/endorsement/include.am b/examples/endorsement/include.am new file mode 100644 index 00000000..1b5e1f94 --- /dev/null +++ b/examples/endorsement/include.am @@ -0,0 +1,20 @@ +# vim:ft=automake +# All paths should be given relative to the root + +if BUILD_EXAMPLES + noinst_HEADERS += \ + examples/endorsement/endorsement.h \ + examples/endorsement/trusted_certs.h + + noinst_PROGRAMS += examples/endorsement/get_ek_certs + examples_endorsement_get_ek_certs_SOURCES = examples/endorsement/get_ek_certs.c + examples_endorsement_get_ek_certs_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD) + examples_endorsement_get_ek_certs_DEPENDENCIES = src/libwolftpm.la +endif + +EXTRA_DIST+=examples/endorsement/README.md +example_endorsementdir = $(exampledir)/endorsement +dist_example_endorsement_DATA = \ + examples/endorsement/get_ek_certs.c + +DISTCLEANFILES+= examples/endorsement/.libs/get_ek_certs diff --git a/examples/endorsement/trusted_certs.h b/examples/endorsement/trusted_certs.h new file mode 100644 index 00000000..af809e71 --- /dev/null +++ b/examples/endorsement/trusted_certs.h @@ -0,0 +1,300 @@ +#ifndef WOLFTPM_TRUSTED_CERTS_H +#define WOLFTPM_TRUSTED_CERTS_H + +/* These are root and intermediate certificates used by chip vendors for + * their endorsement certificates. + */ + +/* webauthn has a good source of TPM root certs: + * https://hackage.haskell.org/package/webauthn-0.10.0.0/src/root-certs/tpm/ + */ + +/* tpm2-tss fapi header has a well maintained list of TPM root certificates: + * https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_certificates.h + */ + +static const char* trusted_certs[] = { + /* ---------------------------------------------------------------*/ + /* Infineon Technologies AG */ + /* ---------------------------------------------------------------*/ + /* Subject: CN=Infineon OPTIGA(TM) ECC Root CA 2 + * Algorithms: ECDSA SECP521R1, SHA2-512 + * Validity: Nov 22 23:59:59 2054 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICrTCCAg6gAwIBAgIBWjAKBggqhkjOPQQDBDB5MQswCQYDVQQGEwJERTEhMB8G\n" + "A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo\n" + "VE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgRUNDIFJv\n" + "b3QgQ0EgMjAgFw0xOTExMjIwMDAwMDBaGA8yMDU0MTEyMjIzNTk1OVoweTELMAkG\n" + "A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEbMBkG\n" + "A1UECwwST1BUSUdBKFRNKSBEZXZpY2VzMSowKAYDVQQDDCFJbmZpbmVvbiBPUFRJ\n" + "R0EoVE0pIEVDQyBSb290IENBIDIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABD\n" + "6MnFaakBVM/vveSWg55BTIdxWdxAzGf2+fEUo5b9hMF6kVSWaR0wAAm2p9qeXNAV\n" + "j7tfQkhz1CxvNz4TauSBQQGf94WLcIKyh7d6zC6/AIloqPizTIGb5xl4ogqyz6ZC\n" + "T/D5FiOPA98TYzoThdqM8cpcI74e2xOyNgAffsm/BRiuFKNCMEAwHQYDVR0OBBYE\n" + "FIK4PcxxuD5+9pzWHchNUjJwbMedMA4GA1UdDwEB/wQEAwIABjAPBgNVHRMBAf8E\n" + "BTADAQH/MAoGCCqGSM49BAMEA4GMADCBiAJCAOXJYwRt86BtRKSuiN5LNATNX6Nc\n" + "hs4DUiggpQhbgggV3Lf+T39l71KvCIPb8n5ZjSi5AKflmPGzumCjqDAPsgmsAkIA\n" + "vpqNqptg4Sf3hrdAsLAqNPZGnx8gRBnsTvvQzNUOZETuBp+nbmSrKMWZpd5G7HkM\n" + "9uXFb5ctX1cZQUbYFA2qG5g=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 059 + * Issuer: CN=Infineon OPTIGA(TM) ECC Root CA 2 + * Algorithms: ECDSA SECP521R1, SHA2-512 + * Validity: Mar 10 10:30:49 2042 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDpzCCAwigAwIBAgIEM8fygzAKBggqhkjOPQQDBDB5MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgRUND\n" + "IFJvb3QgQ0EgMjAeFw0yMjAzMTAxMDMwNDlaFw00MjAzMTAxMDMwNDlaMHYxCzAJ\n" + "BgNVBAYTAkRFMSEwHwYDVQQKDBhJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcxEzAR\n" + "BgNVBAsMCk9QVElHQShUTSkxLzAtBgNVBAMMJkluZmluZW9uIE9QVElHQShUTSkg\n" + "VFBNIDIuMCBFQ0MgQ0EgMDU5MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAdFmJ\n" + "CLLqN+9xRN+gDqG1qYoDj6+B4OCy5rXG2+cTp6OPraIEIs7ZCtsdxv0hGM45SJI5\n" + "4nl6WUqdILKdqhA1cTMABVhN6Nm6oVwXwjStVRslqSjeY4IOy5Rwg109IENZZ4mL\n" + "F5BFJPUHIQ65m7vWF091CcmK9yOjhZ19aawMUQDpCiCjggE8MIIBODBZBggrBgEF\n" + "BQcBAQRNMEswSQYIKwYBBQUHMAKGPWh0dHA6Ly9wa2kuaW5maW5lb24uY29tL09w\n" + "dGlnYUVjY1Jvb3RDQTIvT3B0aWdhRWNjUm9vdENBMi5jcnQwHQYDVR0OBBYEFMfY\n" + "6hrNmsmcNQkPCrXM5ISJzxUdMA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAG\n" + "AQH/AgEAME4GA1UdHwRHMEUwQ6BBoD+GPWh0dHA6Ly9wa2kuaW5maW5lb24uY29t\n" + "L09wdGlnYUVjY1Jvb3RDQTIvT3B0aWdhRWNjUm9vdENBMi5jcmwwFQYDVR0gBA4w\n" + "DDAKBggqghQARAEUATAfBgNVHSMEGDAWgBSCuD3Mcbg+fvac1h3ITVIycGzHnTAQ\n" + "BgNVHSUECTAHBgVngQUIATAKBggqhkjOPQQDBAOBjAAwgYgCQgCxOZetx3JsIj/x\n" + "tmQiqH24lCydvK+YD+HFXfPqSTkqyAl1k6oq7oHOVDfDwiFO34l5ZCpk+Om7y4hE\n" + "CN813X4+YQJCAOMAUk7PWKDHg7avff7v8T3U0jBhrj/zcna2d1Wt5YG814+Jpk9j\n" + "OyD3mUxh8uFPhavNYLdFtrwguXqTVyZcZB+D\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) RSA Root CA 2 + * Algorithms: RSA 4096-bit, SHA2-256 + * Validity: Nov 22 23:59:59 2054 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFsTCCA5mgAwIBAgIBWTANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgUlNB\n" + "IFJvb3QgQ0EgMjAgFw0xOTExMjIwMDAwMDBaGA8yMDU0MTEyMjIzNTk1OVoweTEL\n" + "MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEb\n" + "MBkGA1UECwwST1BUSUdBKFRNKSBEZXZpY2VzMSowKAYDVQQDDCFJbmZpbmVvbiBP\n" + "UFRJR0EoVE0pIFJTQSBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n" + "ggIKAoICAQClvyAQlJNoJwAXwO5AojnaZO3rYqEbnox1r4jVvsjVnbDYSm9qYMIh\n" + "X0lEweLh3GmC/B0VgN0eoVTdfUZ/H9laK+PETmzQnKya8Gsq/XSCq8nWKslTgdoY\n" + "w44ddSBrTKoLWLPb8VW0FU0YIZaQEdXtWCQ2UqP+3Y6HbR8+RPO5DW64VsaGbeDx\n" + "VZgskZauH0oZ4eU7pCa9z6WwhExHMqgTOMHNuCgAWD/OkxqBsS74/2L4nv6zJD9+\n" + "yPLF3PjbVolC5WzR8M3ZUhN2iGp9V80/SEmj8SGS/z5l0cIwqua9DLhj/VCTo2Tl\n" + "qJ1hjQVaKYRnPaLPnxOmjbwPkCBO/Tj4jHVLfjk1XArSR3tjZK2CvRERweLC/XdK\n" + "doJuPPASeR8qmbhaj39wHBT5CTpJ8Hlh3uL1nMpeRJHJ0qM+7enirx/7WPuoI6FZ\n" + "N9xEWh7k6kma8wjjettN8r8qHBJjQN6IeJ8p2dETfRK+Wva718S2TKf3RyrD2aX3\n" + "RUGjFPxZcwDAX+YlqW7p03/77nf1SYnvyX7EyTZ99fRUjghVnM2tnTC4Soi6Sv1Z\n" + "oXxWFSOMUeRb3YN+OlWvqnVIJ1UNiTe5l1qCnEE+P+lj87sSjwSP63ME4xaNFmlT\n" + "v50t3+Gxpj92h8/owOpUBTD1uwLiZNDXhBE3qTtqO5T655ulTBsiZQIDAQABo0Iw\n" + "QDAdBgNVHQ4EFgQU+0/LDx9uXdViIvTFSiU55L1NaigwDgYDVR0PAQH/BAQDAgAG\n" + "MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFUkfuMp8AubFwcY\n" + "id4j4W5d3vTkSHxLWQ+ILgw8t3goF/Zp1ikDJMPVynEaVEIet5qjT5jZe56j0HkI\n" + "gyrOtjUxXXXvjSYEiUsoghp4ECM6EMj3nUmSqFkP8A9eGLtfpjTDFml0kPsBrK3e\n" + "o0+moWLvRsFRL9wVKKu2OTdA3aUG8hfNocvu/H7yqsLNg1DAwmhBajQl3PtICjPB\n" + "xUmhE1mxq998CVvdId7PqkTrBmUK8mNTNnLsDqFP2API//XxPWI9/LCib4StwM1w\n" + "v0ECNelb/bAw3FDx6HcJqkA8mRqfjg+cngOCPQXa3MWXbod5RM6DzQhwgAaofSlv\n" + "PzZGZvOu84FILJkSxj9ZpPVDy3bgTS2AE9Iy0C6y/1GyeHhDYFYdxg40osoCOBxu\n" + "1WwsEPr0FkYYXX2YSRa3MmrkkWzXrgx1JKzJB6p/mQ14j1R3eMiYWKx5DjtkAmM9\n" + "9qsnIU42jIpbwvQF1YC41GYclP2pX45LmDGTWgBDSBBtjEPnn2gwYH6uaSR3zndx\n" + "nqu/imr4HSyvrsIGNak5RLEed8e02nbjTAehOLAZGdj+TMnvbQBS0AiZZO3qWx9T\n" + "/ABQ8gFSGgorfvS5Lg7ANIiBSsCsVIa28I2eiYrJZatuFAo1Xg4z3n2kvL7S1wZy\n" + "8MZsUVujMk+IInhi81MQZFUR2QbA\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 059 + * Issuer: CN=Infineon OPTIGA(TM) RSA Root CA 2 + * Algorithms: RSA 4096-bit, SHA2-384 + * Validity: Mar 10 10:36:34 2042 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIGqzCCBJOgAwIBAgIEavSCmDANBgkqhkiG9w0BAQwFADB5MQswCQYDVQQGEwJE\n" + "RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n" + "UFRJR0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkg\n" + "UlNBIFJvb3QgQ0EgMjAeFw0yMjAzMTAxMDM2MzRaFw00MjAzMTAxMDM2MzRaMHYx\n" + "CzAJBgNVBAYTAkRFMSEwHwYDVQQKDBhJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcx\n" + "EzARBgNVBAsMCk9QVElHQShUTSkxLzAtBgNVBAMMJkluZmluZW9uIE9QVElHQShU\n" + "TSkgVFBNIDIuMCBSU0EgQ0EgMDU5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC\n" + "CgKCAgEA5Eq4pO/DJwsbPLocqJJGHoA6ZcoSKV0Te2nCdTRGVhH+Ba0nhlwI2k/K\n" + "6lxoZ6DTJ7sQajy8nHq+7lxg/C35pN1/20Wh3aCd4AKdiRZRE7odg9exNT0TMAos\n" + "aHAHU6jJcTIfnREXev63SDJgdkg3bY4sHdjTirUj+BI315eZi871Gh1dFh+W9WFT\n" + "JPbuvvWWRe4fNtvEnpLQLSTbR9c2LE+Udo6Cax1aUP4CqqQS+iUnoU1XJ2wMDk2O\n" + "R2SUtLDfEUhRzqsqw5pEu2lS8lnmxZwKz2n32PKKoqEAWmRQ9mq8mmybB5mf+KOk\n" + "BKU2DhpKltMewsONL72gQ800W17B2szEBYkk7weckMfWiSaDT8HNQthY7BZ7qyzu\n" + "7pM/nPIsElvEN+oY4QGPcH1IFQXZpUq27lNalsiFKN+PFTkDmWpTCLWwtqRgXqSw\n" + "eMzE/C9ifQvlyPYH5ZmpMKl6fZfBl5jLWkW7VTJXNAf0cHU6d9jw02zZwj3esd5K\n" + "Sj7fYSt6kxEv/QQ+91O6ceMd1rQ7Wo1ufi6Y8bMmhDDUQCbhtUveMs/zNhtZ9Dy7\n" + "2AxE1INaHj9Xwj/nvSAS0oE/6CUbpiloxYuTdY4k+CUA+Ob5/GX6h3IPZyHwlP1x\n" + "vjoald5nSq9ffdn+X4yWtyINaR0D6X+elGxHjsMLRnUMhin9lx8CAwEAAaOCATww\n" + "ggE4MFkGCCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAoY9aHR0cDovL3BraS5pbmZp\n" + "bmVvbi5jb20vT3B0aWdhUnNhUm9vdENBMi9PcHRpZ2FSc2FSb290Q0EyLmNydDAd\n" + "BgNVHQ4EFgQU7lMg7m2CeMnsa+6Wu4I6TyUdwxMwDgYDVR0PAQH/BAQDAgAGMBIG\n" + "A1UdEwEB/wQIMAYBAf8CAQAwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDovL3BraS5p\n" + "bmZpbmVvbi5jb20vT3B0aWdhUnNhUm9vdENBMi9PcHRpZ2FSc2FSb290Q0EyLmNy\n" + "bDAVBgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaAFPtPyw8fbl3VYiL0\n" + "xUolOeS9TWooMBAGA1UdJQQJMAcGBWeBBQgBMA0GCSqGSIb3DQEBDAUAA4ICAQB9\n" + "+nOzisSHWLtHLpTviVdtUIuW9WxrHqcE1+OD9kMnGW0R6DWacPNWb+rjQ9V0aZgd\n" + "SRxlRqsQtPXgYjO10iPQmhKIhL7bWmYcm5If3NOiaFXSS9Xb7cNoPk+FJNWoY85F\n" + "CKQWld0+RooebSDe1tLjE+kUuGMMvtoLumBiEBVcu+F2wuibO+Mo8Xr7VPl7o3J1\n" + "asV2ZFtmrqHykfEWaJhswjw/FSQec2bFNafWW2dS3za658eoFEjmE59mIDCqx4p3\n" + "4Qmm195P+zFqYTXJMifkoizIi2lJGtdoLZB4c6AzHeT+UOVjr027fdSqUxAyQeUI\n" + "uZfApcfWR21jxrpOxfkmy8GmtolrmRBZVbEKED1tsk3PxxCx1EeVrO46DaamkGFj\n" + "TQYOjvdmCD+KcmCvG39Ftj4dy7kaObrdAVkQwFa/aCTH90vHGOlZUl/WuMg2PQlq\n" + "kqkcAnBUPGbJIr9RJWZCxv4w0Mu5RnHWcs39HF4WSubLiuImbQRgLQuDuSJCMxZn\n" + "DGYublH8ff8/abMvxI51XxpmaPLe9ZFP6LSdD1poeTT4j46yAH2GacsaysOzXuPB\n" + "dgXXMFHAomRi10j/mp3Fv1nz73zVVy0e+4aj6Wh4+omKvXgwH8YgQVbMrPQfhbQg\n" + "Q6kr1MlRyGqkQFTEeOHGI0PngcLQJzKYfjHDDEZ+GA==\n" + "-----END CERTIFICATE-----\n", + + + /* ---------------------------------------------------------------*/ + /* STMicroelectronics NV */ + /* ---------------------------------------------------------------*/ + /* Subject: CN=STSAFE ECC Root CA 02 + * Algorithms: ECDSA SECP521R1, SHA2-512 + * Validity: Dec 31 00:00:00 9999 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICWjCCAbugAwIBAgIGVR0gAAECMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAkNI\n" + "MR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNUU0FG\n" + "RSBFQ0MgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAwMDAw\n" + "MFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBO\n" + "VjEeMBwGA1UEAxMVU1RTQUZFIEVDQyBSb290IENBIDAyMIGbMBAGByqGSM49AgEG\n" + "BSuBBAAjA4GGAAQAJFgkbtp5mZpvISjL8zAUSSJXxXpPhxhSVGQfqU0GEjPBIMMD\n" + "KNvc23xCcyIsiFTMD4MZQ1wov0SaBE3M31bWx78BrbiPCJ4lXUvJWiwm9+v3EL1z\n" + "lznBtyJDYUkrUe2n7r8NH7kAQ1X/csItvyomECdRtm4wwD8VX1n+l3npVlMNOxWj\n" + "QjBAMB0GA1UdDgQWBBT1XLcHvEsXQiYkgEBLu3yAulo8vjAOBgNVHQ8BAf8EBAMC\n" + "AQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBjAAwgYgCQgC85uufYwd5\n" + "yelX2EKkjx7s8LP6qgcXHxkO1zZYrTU7umomS5beVyPf2hA12yPVG9VnYUqs9+RA\n" + "L0mbODJNfHR5yAJCAUf2a5qPe3a/BpZBoY7YI68nUt1UD8ScX+IbkLJQ6mPe8pNR\n" + "xRJfSy8RvtTJcPEqH7kpj5sZjlRC5GUG/3Sco8uX\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE TPM ECC Intermediate CA 10 + * Issuer: CN=STSAFE ECC Root CA 02 + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jan 1 00:00:00 2042 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDQjCCAqOgAwIBAgIEQQAAEDAKBggqhkjOPQQDAzBNMQswCQYDVQQGEwJDSDEe\n" + "MBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNBRkUg\n" + "RUNDIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAwWjBZ\n" + "MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSow\n" + "KAYDVQQDEyFTVFNBRkUgVFBNIEVDQyBJbnRlcm1lZGlhdGUgQ0EgMTAwdjAQBgcq\n" + "hkjOPQIBBgUrgQQAIgNiAASTJN1bV66WKZt1gjvbSCbHJbo3HFyT/jqJ7+rqeMHK\n" + "Z55dI/FYfY/qgK1A9xTy3S3aUysFnTo5RQSy8EqcY2JxijlKU0hISan3IRV/ycA0\n" + "1KeA1AzDj6SKY0BCO07kc7yjggFGMIIBQjAdBgNVHQ4EFgQUnLOZx0g2wg9IQLg/\n" + "lCqnQZj6s1owHwYDVR0jBBgwFoAU9Vy3B7xLF0ImJIBAS7t8gLpaPL4wQwYDVR0g\n" + "AQH/BDkwNzA1BgRVHSAAMC0wKwYIKwYBBQUHAgEWH2h0dHA6Ly9zdy1jZW50ZXIu\n" + "c3QuY29tL1NUU0FGRS8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\n" + "AQAwUAYIKwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vc3ctY2VudGVy\n" + "LnN0LmNvbS9TVFNBRkUvU1RTQUZFRWNjUm9vdENBMDIuY3J0MEUGA1UdHwQ+MDww\n" + "OqA4oDaGNGh0dHA6Ly9zdy1jZW50ZXIuc3QuY29tL1NUU0FGRS9TVFNBRkVFY2NS\n" + "b290Q0EwMi5jcmwwCgYIKoZIzj0EAwMDgYwAMIGIAkIB9BxSCiEYdXzw4InfqOVA\n" + "JXxwDySjdgGZkckh9eu6OAwzPoRsjwt59/R1LRxISsE8BFRCyL+/0Stae8W6CaUa\n" + "YgkCQgEEZpf+KEZYKG+XFIfavWzFAFHgShQD2+fd21ncprh7rZDruPbeCqS6JEYc\n" + "qKsm6vl5yWjrv88UV/UeeTqlz6WTww==\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE TPM ECC Intermediate CA 11 + * Issuer: CN=STSAFE ECC Root CA 02 + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jan 1 00:00:00 2042 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDQjCCAqOgAwIBAgIEQQAAETAKBggqhkjOPQQDAzBNMQswCQYDVQQGEwJDSDEe\n" + "MBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNBRkUg\n" + "RUNDIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAwWjBZ\n" + "MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSow\n" + "KAYDVQQDEyFTVFNBRkUgVFBNIEVDQyBJbnRlcm1lZGlhdGUgQ0EgMTEwdjAQBgcq\n" + "hkjOPQIBBgUrgQQAIgNiAAT1l1mAZbejAFPcYl7AyR0vQUzcM4a/AVzs4ctaxKOH\n" + "PcXmxT6EeeXXDX4JcbuEgD7zZr+nw1AeZRCbO89o86+OM2yMKPqAl4tToRYAUIyl\n" + "mYjHe8wUKeyUbMUMg5FZ92qjggFGMIIBQjAdBgNVHQ4EFgQU+A/ygAr/JRzH4rpY\n" + "vietSY6qitYwHwYDVR0jBBgwFoAU9Vy3B7xLF0ImJIBAS7t8gLpaPL4wQwYDVR0g\n" + "AQH/BDkwNzA1BgRVHSAAMC0wKwYIKwYBBQUHAgEWH2h0dHA6Ly9zdy1jZW50ZXIu\n" + "c3QuY29tL1NUU0FGRS8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\n" + "AQAwUAYIKwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vc3ctY2VudGVy\n" + "LnN0LmNvbS9TVFNBRkUvU1RTQUZFRWNjUm9vdENBMDIuY3J0MEUGA1UdHwQ+MDww\n" + "OqA4oDaGNGh0dHA6Ly9zdy1jZW50ZXIuc3QuY29tL1NUU0FGRS9TVFNBRkVFY2NS\n" + "b290Q0EwMi5jcmwwCgYIKoZIzj0EAwMDgYwAMIGIAkIBG7lZLscwwyv/6EMhsalu\n" + "1kMx4rG8y0hQvB43eapAdpiwWJU93FF12Agtf5aDLr/zzjTy2epE1LOpBTDs431w\n" + "exwCQgHvMXOrbU26af1JTw1TD92QorKeYX9AspNRfHTJqijcue4MIMa3lAdssvCy\n" + "3QJ/mdWzkS8U0LlHNOV2Lb9PF4B10A==\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE RSA Root CA 02 + * Algorithms: RSA 4096-bit, SHA2-384 + * Validity: Dec 31 00:00:00 9999 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFXjCCA0agAwIBAgIGVR0gAAACMA0GCSqGSIb3DQEBDAUAME0xCzAJBgNVBAYT\n" + "AkNIMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNU\n" + "U0FGRSBSU0EgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAw\n" + "MDAwMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmlj\n" + "cyBOVjEeMBwGA1UEAxMVU1RTQUZFIFJTQSBSb290IENBIDAyMIICIjANBgkqhkiG\n" + "9w0BAQEFAAOCAg8AMIICCgKCAgEAyDtHbW51K/pnDbnPdLQTls2U/bu/aDATTi1W\n" + "CZDAtFC9sWtCRK6jQ0SG9DCCys7ur170V3Q+HVov88FzH6bYg4TWY7+wEQKLR/4W\n" + "IgdCjcW3uXMimsh9tOb+UlfRMW0yEozi7F+F/v07lULTJg+itCOMASi/caV1ySYI\n" + "cX5z/5Woj3hDgJGa4scOoxdOfPg1GCkEjQPy7fG/IBt883palE/T4UNg1megfLcg\n" + "hjOrbaPTFB3qXmm6E07QDYMkPiqryz3v9MCnOw62EXGcQLFIK4DwPxySU7NxO0ta\n" + "DHXv+8B5ljv4Jtx5OLkDf9YAfjEg6ZOpsyIGKI+bgIoVYtGbXTDZAtoMKw3ystQX\n" + "va9ceQ4cIQQUjpH6nFm8dbm/TOrkZd6m9pmLftR6kTuzRd8hhKCwpfcKbxQlMI2u\n" + "TDVbw03IFUhk23uDSTOzsyOjB2f93SLEw1yTBuiYXhO2YHUHFJckbiuz7RdE4sjN\n" + "1J0LwxKKbm9kleYEP+Kah6IJ0Zs7vbP3WNZUpmt6/XTmszb+paTSpanUYbBr2/IE\n" + "aQCRiAlv0H26i5u4CjSHRjjRIqLAuGnpn0gZ2Zgs1espJwmey7MPKvTJtK1H+TQN\n" + "0HZW8DYtcdzPkpxqKndWIUR7JTnozVPCVOcirSPGdkSvhbAGPyoyv7ju86RnTiT0\n" + "NLz7SbECAwEAAaNCMEAwHQYDVR0OBBYEFHzCjb5uWdhKVANGmxMIANL48G0nMA4G\n" + "A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4IC\n" + "AQCykiyYyHAXHzRBdqJ3QLr8qTDDNO3RdLToZmiFRdslaRr2RtlDDjcAEFKf1u/E\n" + "1qprZe926Ob5KxWIQREvDAgqAbRS9fd3+w6hZ+ZrmHNh5aH2UEgsfAi9vZ3K8BH/\n" + "rReqTm0oxCMz4socJ9tIpvGSZhJg6PDTidsIscr8iNcSsVYJO60wSMxn7tv+Buh+\n" + "ZgJFddzEYZqTuezsdiXswkAkwqTJY9KM1w0bFLHrmifkc0y6I+jeBgjGxMknz8G5\n" + "p7YX4GoeJp5LjM8z36qBFKcjkKpYEb2H+u6CxgXFsxu6nkB0pn3u2uNwmXTYIQKO\n" + "trcshrmoKUv7mDvtaNIa0blMTRTEZzkwrR1BsHm/Gz7NLhgkDIv9p1u5oiCwlebh\n" + "eJ1cDJ9I7puSBPiDDpkdvVPg0wNFPai/SAhjW0OaULcybVR7kXzST9/xerCoquYp\n" + "I+qLjTs+RqahgL5a9ZRPVABX3DwvnDCarwVqMSfRjGP4e8b2BspDM+wPTvQH1K4O\n" + "xk+qc9HT7YubzqhtJ/yfcYd/eKTsk60aNmknatNZDSFzq03lxN048n3D9mcjGDkR\n" + "15Kv5NX8DhZuCNcBddkGC96uYpgSvl089RgnSL/qPlM+QlVjPbqDpISd/z3X4RNb\n" + "vdT+agOdZZJRB1MROQXDnACVdQB1ba/DTO4UNEou27D03Q==\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE TPM RSA Intermediate CA 10 + * Issuer: CN=STSAFE RSA Root CA 02 + * RSA 4096-bit, SHA2-384 + * Validity: Jan 1 00:00:00 2042 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIGbDCCBFSgAwIBAgIEQAAAEDANBgkqhkiG9w0BAQwFADBNMQswCQYDVQQGEwJD\n" + "SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNB\n" + "RkUgUlNBIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAw\n" + "WjBZMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5W\n" + "MSowKAYDVQQDEyFTVFNBRkUgVFBNIFJTQSBJbnRlcm1lZGlhdGUgQ0EgMTAwggIi\n" + "MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLtTMVm6icY4GkyBPSGRG4x04Z\n" + "s3QDarRa1jdXDDD5yYNsdenk+9wNb+pOoepnsAoD8oJ4w8MiER4eDln40c26w2fg\n" + "s+8UWDJY5zgTn/A+NBoIZ4wpOhFiE5MEWki7hLB6WPgZYDpMY38vG0RrBd9eJHxh\n" + "h32wa7ko0NDoUl7DHLIn6xyMePknl/RKcWJHtpn3KBky4qxuJf0SIgKLsjTMqpaa\n" + "15HWeYDaij2GDSV/0IY0svLrDwyP/tnONN15PnogkYKpVzXcHKoue2ViBDGqFrDv\n" + "/itYz3ze1TMqj6+iiTGG3Hg1exmch8w923Zj5BTn+Fe2kdngzOFf9jVCnRxyYZm3\n" + "A60MthkJyAjN8zkZcaepumkbF99WUJQQ2eyK4jGsVzMlmHGcMHOB2AG2W0jbnteo\n" + "0Y4PhcVkjeP9KVHu19A3PpIgThwwqeiJN+QyxSIPfwk82GfflxpXeb256hv7xvqn\n" + "2YQ0sI5UgU9aQBOZbktxRprTBipqZJbX07oLVCgRuZtm3aCTCIPVQLVGGv7wSjs8\n" + "63jQsO/52mTKHz5AAXamWKuX197OJANBWPQyk3u3+OvV8tSaetC7yuezfQUHw0ca\n" + "CgAUCit6bX02EKAb0ZZbKzGWEyBhbiw+EICWvRQktX+5S+LnVntBSx2e4zHfAcoA\n" + "KKZ6e0OZbvHaPkBOZQIDAQABo4IBRjCCAUIwHQYDVR0OBBYEFGVwYqcQVpFvjH95\n" + "ipLd5tgdCpjaMB8GA1UdIwQYMBaAFHzCjb5uWdhKVANGmxMIANL48G0nMEMGA1Ud\n" + "IAEB/wQ5MDcwNQYEVR0gADAtMCsGCCsGAQUFBwIBFh9odHRwOi8vc3ctY2VudGVy\n" + "LnN0LmNvbS9TVFNBRkUvMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\n" + "AgEAMFAGCCsGAQUFBwEBBEQwQjBABggrBgEFBQcwAoY0aHR0cDovL3N3LWNlbnRl\n" + "ci5zdC5jb20vU1RTQUZFL1NUU0FGRVJzYVJvb3RDQTAyLmNydDBFBgNVHR8EPjA8\n" + "MDqgOKA2hjRodHRwOi8vc3ctY2VudGVyLnN0LmNvbS9TVFNBRkUvU1RTQUZFUnNh\n" + "Um9vdENBMDIuY3JsMA0GCSqGSIb3DQEBDAUAA4ICAQCATjBOFHEiOfz5pGvjB0GR\n" + "aRSOMQI/kccR5FBSrsJV3wVhnEBA9WPc9sMZ5VarDiNpSYWihtyFAe72QWqsRar6\n" + "oRYAHvwsRio2l5W6GbCe50cbdvaOQlVC5wHQnP+kywdOUyK0VRKGP5qJhgS6Ze8v\n" + "0Ppc6f1UsxNHWmI1uy1oVGjF+Vl3d23EDz6G2BLRwzzMsNKZ6MM0xfNh8Us4Qvpj\n" + "Dfm+ysmX7wKYoJBAcxipaFDAEzNGLScagsJ9UvJ5whEyxvG1TrvPyvM/b+aU7H8B\n" + "aBNIsUdVKwfwkVHQah4Cyd3aXultFhJoTT44HiM6kYqfe+tPd3KbqxhEobAbFyZV\n" + "Eot3CYMQV+ZVK5xfG4Te7s9rE6HLeGGP3vWlOTtVCsMWG39FfVz+4oshygXk8c6G\n" + "rAUWSD2A96z0N4eg4MKemGmE56zaQx65jfjk5HiFDsf+A7zMAZ0P61FVUZ/GWLJY\n" + "6SicMpev12sGN4tUkqZOabgZEAzxdnaKrWUSOFVVE8e6l+TnQKS/xGDyCu0ANOPR\n" + "qMLM3x5Kx9kVZ8kGYs+8FRiVXx61WVJHztmfJmcUQirroIJZuEwAJYTt576sOQxH\n" + "U9R2VOyUgNRAdwYSvy6PU7IjDjMuTYaeMyJCJGFRcnFk/QqbHXFI4eNN5gtDKhT7\n" + "uKErQfPEhjYLdzF8/OYW7w==\n" + "-----END CERTIFICATE-----\n", + +}; + +#endif /* WOLFTPM_TRUSTED_CERTS_H */ diff --git a/examples/include.am b/examples/include.am index 25993213..96c034f0 100644 --- a/examples/include.am +++ b/examples/include.am @@ -17,6 +17,7 @@ include examples/gpio/include.am include examples/seal/include.am include examples/attestation/include.am include examples/firmware/include.am +include examples/endorsement/include.am if BUILD_EXAMPLES EXTRA_DIST += examples/run_examples.sh diff --git a/examples/nvram/read.c b/examples/nvram/read.c index 02937999..3074df5f 100644 --- a/examples/nvram/read.c +++ b/examples/nvram/read.c @@ -55,6 +55,7 @@ static void usage(void) printf("* -priv: Read ony the private part\n"); printf("* -pub: Read only the public part\n"); printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* -endorsement/platform/owner: Auth hierarchy\n"); } int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]) @@ -68,7 +69,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_NV nv; TPM2B_AUTH auth; word32 readSize; - TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; /* or TPM_RH_PLATFORM */ + TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; int paramEncAlg = TPM_ALG_NULL; int partialRead = 0; int offset = 0; @@ -89,13 +90,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]) if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) { const char* nvIndexStr = argv[argc-1] + XSTRLEN("-nvindex="); nvIndex = (word32)XSTRTOL(nvIndexStr, NULL, 0); - if (!(authHandle == TPM_RH_PLATFORM && ( - nvIndex > TPM_20_PLATFORM_MFG_NV_SPACE && - nvIndex < TPM_20_OWNER_NV_SPACE)) && - !(authHandle == TPM_RH_OWNER && ( - nvIndex > TPM_20_OWNER_NV_SPACE && - nvIndex < TPM_20_TCG_NV_SPACE))) - { + if (nvIndex < NV_INDEX_FIRST || nvIndex > NV_INDEX_LAST) { fprintf(stderr, "Invalid NV Index %s\n", nvIndexStr); fprintf(stderr, "\tPlatform Range: 0x%x -> 0x%x\n", TPM_20_PLATFORM_MFG_NV_SPACE, TPM_20_OWNER_NV_SPACE); @@ -105,6 +100,15 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]) return -1; } } + else if (XSTRCMP(argv[argc-1], "-endorsement") == 0) { + authHandle = TPM_RH_ENDORSEMENT; + } + else if (XSTRCMP(argv[argc-1], "-platform") == 0) { + authHandle = TPM_RH_PLATFORM; + } + else if (XSTRCMP(argv[argc-1], "-owner") == 0) { + authHandle = TPM_RH_OWNER; + } else if (XSTRCMP(argv[argc-1], "-aes") == 0) { paramEncAlg = TPM_ALG_CFB; } @@ -123,14 +127,19 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]) argc--; } + printf("NV Read\n"); + printf("\tNV Index: 0x%08x\n", nvIndex); + printf("\tAuth: %s\n", + (authHandle == TPM_RH_ENDORSEMENT) ? "Endorsement" : + (authHandle == TPM_RH_PLATFORM) ? "Platform" : "Owner"); if (paramEncAlg == TPM_ALG_CFB) { - printf("Parameter Encryption: Enabled. (AES CFB)\n\n"); + printf("\tParameter Encryption: Enabled. (AES CFB)\n\n"); } else if (paramEncAlg == TPM_ALG_XOR) { - printf("Parameter Encryption: Enabled. (XOR)\n\n"); + printf("\tParameter Encryption: Enabled. (XOR)\n\n"); } else { - printf("Parameter Encryption: Not enabled (try -aes or -xor).\n\n"); + printf("\tParameter Encryption: Not enabled (try -aes or -xor).\n\n"); } XMEMSET(&keyBlob, 0, sizeof(keyBlob)); diff --git a/examples/run_examples.sh b/examples/run_examples.sh index c0257602..e6d037c4 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -600,6 +600,13 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then fi +# Endorsement key and certificate +echo -e "Endorsement Key (EK) and Certificate" +./examples/endorsement/get_ek_certs >> run.out 2>&1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "get_ek_certs failed! $RESULT" && exit 1 + + rm -f keyblob.bin echo -e "Success!" diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index b1c4aaac..575b2be5 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -29,7 +29,8 @@ #include #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) + !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) && \ + (defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS)) #include #include @@ -633,7 +634,8 @@ int main(int argc, char* argv[]) int rc = -1; #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) + !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) && \ + (defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS)) rc = TPM2_TLS_ClientArgs(NULL, argc, argv); #else (void)argc; diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index ca0ab320..ec021379 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -29,7 +29,8 @@ #include #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) + !defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) && \ + (defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS)) #include #include @@ -623,7 +624,8 @@ int main(int argc, char* argv[]) int rc = -1; #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) + !defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) && \ + (defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS)) rc = TPM2_TLS_ServerArgs(NULL, argc, argv); #else (void)argc; diff --git a/src/tpm2.c b/src/tpm2.c index 76a97638..79e7b505 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -5495,8 +5495,6 @@ int TPM2_IFX_FieldUpgradeCommand(TPM_CC cc, uint8_t* data, uint32_t size) } return rc; } - - #endif /* WOLFTPM_SLB9672 || WOLFTPM_SLB9673 */ #endif /* WOLFTPM_FIRMWARE_UPGRADE */ @@ -6004,6 +6002,10 @@ int TPM2_GetTpmCurve(int curve_id) case ECC_SECP521R1: ret = TPM_ECC_NIST_P521; break; + case ECC_BRAINPOOLP256R1: + ret = TPM_ECC_BN_P256; + break; + case TPM_ECC_BN_P638: default: ret = ECC_CURVE_OID_E; } @@ -6033,7 +6035,10 @@ int TPM2_GetWolfCurve(int curve_id) ret = ECC_SECP521R1; break; case TPM_ECC_BN_P256: + ret = ECC_BRAINPOOLP256R1; + break; case TPM_ECC_BN_P638: + default: ret = ECC_CURVE_OID_E; } #endif diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index d99fb387..9001529a 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -1413,6 +1413,12 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm hashType = WC_HASH_TYPE_SHA256; mgf = WC_MGF1SHA256; } +#ifdef WOLFSSL_SHA384 + else if (publicArea->nameAlg == TPM_ALG_SHA384) { + hashType = WC_HASH_TYPE_SHA384; + mgf = WC_MGF1SHA384; + } +#endif else { return NOT_COMPILED_IN; } @@ -5711,7 +5717,8 @@ int GetKeyTemplateRSA(TPMT_PUBLIC* publicTemplate, ((objectAttributes & TPMA_OBJECT_decrypt) && (objectAttributes & TPMA_OBJECT_restricted))) { publicTemplate->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; - publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes = 128; + publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes = + (keyBits > 2048) ? 256 : 128; publicTemplate->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; } else { @@ -5750,7 +5757,8 @@ int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, ((objectAttributes & TPMA_OBJECT_decrypt) && (objectAttributes & TPMA_OBJECT_restricted))) { publicTemplate->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; - publicTemplate->parameters.eccDetail.symmetric.keyBits.aes = 128; + publicTemplate->parameters.eccDetail.symmetric.keyBits.aes = + (curveSz >= 48) ? 256 : 128; publicTemplate->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; } else { @@ -5857,40 +5865,154 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name return TPM_RC_SUCCESS; } -int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate) +int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, + int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange) { - int ret; + int rc; TPMA_OBJECT objectAttributes = ( TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent | TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy | TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt); + if (highRange) { + /* High range requires userWithAuth=1 */ + objectAttributes |= TPMA_OBJECT_userWithAuth; + } - ret = GetKeyTemplateRSA(publicTemplate, TPM_ALG_SHA256, - objectAttributes, 2048, 0, TPM_ALG_NULL, TPM_ALG_NULL); - if (ret == 0) { - publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY); - XMEMCPY(publicTemplate->authPolicy.buffer, - TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size); + if (alg == TPM_ALG_RSA) { + rc = GetKeyTemplateRSA(publicTemplate, nameAlg, + objectAttributes, keyBits, 0, TPM_ALG_NULL, TPM_ALG_NULL); + if (rc == 0 && highRange) { /* high range uses 0 unique size */ + publicTemplate->unique.rsa.size = 0; + } } - return ret; + else if (alg == TPM_ALG_ECC) { + rc = GetKeyTemplateECC(publicTemplate, nameAlg, + objectAttributes, curveID, TPM_ALG_NULL, TPM_ALG_NULL); + if (rc == 0 && highRange) { /* high range uses 0 unique size */ + publicTemplate->unique.ecc.x.size = 0; + publicTemplate->unique.ecc.y.size = 0; + } + + } + else { + rc = BAD_FUNC_ARG; /* not supported */ + } + + if (rc == 0) { + if (nameAlg == TPM_ALG_SHA256 && !highRange) { + publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY); + XMEMCPY(publicTemplate->authPolicy.buffer, + TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size); + } + else if (nameAlg == TPM_ALG_SHA256) { + publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256); + XMEMCPY(publicTemplate->authPolicy.buffer, + TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size); + } + #ifdef WOLFSSL_SHA384 + else if (nameAlg == TPM_ALG_SHA384) { + publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384); + XMEMCPY(publicTemplate->authPolicy.buffer, + TPM_20_EK_AUTH_POLICY_SHA384, publicTemplate->authPolicy.size); + } + #endif + #ifdef WOLFSSL_SHA512 + else if (nameAlg == TPM_ALG_SHA512) { + publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA512); + XMEMCPY(publicTemplate->authPolicy.buffer, + TPM_20_EK_AUTH_POLICY_SHA512, publicTemplate->authPolicy.size); + } + #endif + } + + return rc; } -int wolfTPM2_GetKeyTemplate_ECC_EK(TPMT_PUBLIC* publicTemplate) +int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex, + TPMT_PUBLIC* publicTemplate) { - int ret; - TPMA_OBJECT objectAttributes = ( - TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent | - TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy | - TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt); + TPM_ALG_ID alg = TPM_ALG_NULL; + TPM_ALG_ID nameAlg = TPM_ALG_NULL; + TPM_ECC_CURVE curveID = TPM_ECC_NONE; + uint32_t keyBits = 0; + int highRange = 0; - ret = GetKeyTemplateECC(publicTemplate, TPM_ALG_SHA256, - objectAttributes, TPM_ECC_NIST_P256, TPM_ALG_NULL, TPM_ALG_NULL); - if (ret == 0) { - publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY); - XMEMCPY(publicTemplate->authPolicy.buffer, - TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size); + /* validate index is in NV EK range */ + if (nvIndex < TPM_20_TCG_NV_SPACE || + nvIndex > TPM_20_TCG_NV_SPACE + 0x1FF) { + return BAD_FUNC_ARG; } - return ret; + + /* determine if low or high range */ + if (nvIndex >= TPM2_NV_EK_RSA2048) { + highRange = 1; + } + + /* Determine algorithm based on index */ + switch (nvIndex) { + case TPM2_NV_RSA_EK_CERT: /* EK (Low Range): RSA 2048 */ + case TPM2_NV_EK_RSA2048: /* EK (High Range) */ + alg = TPM_ALG_RSA; + nameAlg = TPM_ALG_SHA256; + keyBits = 2048; + break; + case TPM2_NV_EK_RSA3072: + alg = TPM_ALG_RSA; + nameAlg = TPM_ALG_SHA384; + keyBits = 3072; + break; + case TPM2_NV_EK_RSA4096: + alg = TPM_ALG_RSA; + nameAlg = TPM_ALG_SHA512; + keyBits = 4096; + break; + case TPM2_NV_ECC_EK_CERT: /* EK (Low Range): ECC P256 */ + case TPM2_NV_EK_ECC_P256: /* EK (High Range) */ + alg = TPM_ALG_ECC; + curveID = TPM_ECC_NIST_P256; + nameAlg = TPM_ALG_SHA256; + keyBits = 256; + break; + case TPM2_NV_EK_ECC_P384: + alg = TPM_ALG_ECC; + curveID = TPM_ECC_NIST_P384; + nameAlg = TPM_ALG_SHA384; + keyBits = 384; + break; + case TPM2_NV_EK_ECC_P521: + alg = TPM_ALG_ECC; + curveID = TPM_ECC_NIST_P521; + nameAlg = TPM_ALG_SHA512; + keyBits = 521; + break; + case TPM2_NV_EK_ECC_SM2: + alg = TPM_ALG_SM2; + curveID = TPM_ECC_SM2_P256; + nameAlg = TPM_ALG_SHA256; + keyBits = 256; + break; + default: + alg = TPM_ALG_NULL; + curveID = TPM_ECC_NONE; + nameAlg = TPM_ALG_NULL; + keyBits = 0; + break; + } + + return wolfTPM2_GetKeyTemplate_EK(publicTemplate, alg, keyBits, curveID, + nameAlg, highRange); +} + +int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate) +{ + return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_RSA, 2048, + TPM_ALG_NULL, TPM_ALG_SHA256, 0); +} + +int wolfTPM2_GetKeyTemplate_ECC_EK(TPMT_PUBLIC* publicTemplate) +{ + return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_ECC, 256, + TPM_ECC_NIST_P256, TPM_ALG_SHA256, 0); } int wolfTPM2_GetKeyTemplate_RSA_SRK(TPMT_PUBLIC* publicTemplate) diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h index 8c8cc710..30c248a7 100644 --- a/wolftpm/tpm2.h +++ b/wolftpm/tpm2.h @@ -1649,18 +1649,67 @@ typedef struct TPM2_AUTH_SESSION { #define TPM_20_OWNER_NV_SPACE ((TPM_HT_NV_INDEX << 24) | (0x02 << 22)) #define TPM_20_TCG_NV_SPACE ((TPM_HT_NV_INDEX << 24) | (0x03 << 22)) -#define TPM_20_NV_INDEX_EK_CERTIFICATE (TPM_20_PLATFORM_MFG_NV_SPACE + 2) -#define TPM_20_NV_INDEX_EK_NONCE (TPM_20_PLATFORM_MFG_NV_SPACE + 3) -#define TPM_20_NV_INDEX_EK_TEMPLATE (TPM_20_PLATFORM_MFG_NV_SPACE + 4) - -/* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */ +/* EK (Low Range): RSA 2048 */ +#define TPM2_NV_RSA_EK_CERT (TPM_20_TCG_NV_SPACE + 0x2) +#define TPM2_NV_RSA_EK_NONCE (TPM_20_TCG_NV_SPACE + 0x3) +#define TPM2_NV_RSA_EK_TEMPLATE (TPM_20_TCG_NV_SPACE + 0x4) + +/* EK (Low Range): ECC P256 */ +#define TPM2_NV_ECC_EK_CERT (TPM_20_TCG_NV_SPACE + 0xA) +#define TPM2_NV_ECC_EK_NONCE (TPM_20_TCG_NV_SPACE + 0xB) +#define TPM2_NV_ECC_EK_TEMPLATE (TPM_20_TCG_NV_SPACE + 0xC) + +/* EK (High Range) */ +#define TPM2_NV_EK_RSA2048 (TPM_20_TCG_NV_SPACE + 0x12) +#define TPM2_NV_EK_ECC_P256 (TPM_20_TCG_NV_SPACE + 0x14) +#define TPM2_NV_EK_ECC_P384 (TPM_20_TCG_NV_SPACE + 0x16) +#define TPM2_NV_EK_ECC_P521 (TPM_20_TCG_NV_SPACE + 0x18) +#define TPM2_NV_EK_ECC_SM2 (TPM_20_TCG_NV_SPACE + 0x1A) +#define TPM2_NV_EK_RSA3072 (TPM_20_TCG_NV_SPACE + 0x1C) +#define TPM2_NV_EK_RSA4096 (TPM_20_TCG_NV_SPACE + 0x1E) + +/* EK Certificate Chains (0x100 - 0x1FF) - Not common */ +#define TPM2_NV_EK_CHAIN (TPM_20_TCG_NV_SPACE + 0x100) + +/* Predetermined TPM 2.0 Endorsement policy auth templates */ +/* SHA256 (Low Range) */ static const BYTE TPM_20_EK_AUTH_POLICY[] = { - 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, - 0x8d, 0x46, 0xa5, 0xd7, 0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, - 0x0b, 0x64, 0xf2, 0xa1, 0xda, 0x1b, 0x33, 0x14, 0x69, 0xaa, + 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8, + 0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24, + 0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64, + 0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA }; - - +/* SHA256 (PolicyB - High Range) */ +static const BYTE TPM_20_EK_AUTH_POLICY_SHA256[] = { + 0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06, + 0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3, + 0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90, + 0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0 +}; +#ifdef WOLFSSL_SHA384 +/* SHA384 (PolicyB - High Range) */ +static const BYTE TPM_20_EK_AUTH_POLICY_SHA384[] = { + 0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, + 0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A, + 0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4, + 0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA, + 0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15, + 0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12 +}; +#endif +#ifdef WOLFSSL_SHA512 +/* SHA512 (PolicyB - High Range) */ +static const BYTE TPM_20_EK_AUTH_POLICY_SHA512[] = { + 0xB8, 0x22, 0x1C, 0xA6, 0x9E, 0x85, 0x50, 0xA4, + 0x91, 0x4D, 0xE3, 0xFA, 0xA6, 0xA1, 0x8C, 0x07, + 0x2C, 0xC0, 0x12, 0x08, 0x07, 0x3A, 0x92, 0x8D, + 0x5D, 0x66, 0xD5, 0x9E, 0xF7, 0x9E, 0x49, 0xA4, + 0x29, 0xC4, 0x1A, 0x6B, 0x26, 0x95, 0x71, 0xD5, + 0x7E, 0xDB, 0x25, 0xFB, 0xDB, 0x18, 0x38, 0x42, + 0x56, 0x08, 0xB4, 0x13, 0xCD, 0x61, 0x6A, 0x5F, + 0x6D, 0xB5, 0xB6, 0x07, 0x1A, 0xF9, 0x9B, 0xEA +}; +#endif /* HAL IO Callbacks */ struct TPM2_CTX; diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 12fb0b9f..37b5d8b8 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -134,10 +134,6 @@ typedef struct WOLFTPM2_CAPS { word16 req_wait_state : 1; /* requires SPI wait state */ } WOLFTPM2_CAPS; -/* NV Handles */ -#define TPM2_NV_RSA_EK_CERT 0x01C00002 -#define TPM2_NV_ECC_EK_CERT 0x01C0000A - /* Wrapper API's to simplify TPM use */ @@ -2678,6 +2674,46 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeyedHash(TPMT_PUBLIC* publicTemplate, */ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID nameAlg); +/*! + \ingroup wolfTPM2_Wrappers + \brief Prepares a TPM public template for generating the TPM Endorsement Key + + \return TPM_RC_SUCCESS: successful + \return BAD_FUNC_ARG: check the provided arguments + + \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template + \param alg can be only TPM_ALG_RSA or TPM_ALG_ECC, see Note above + \param keyBits integer value, specifying bits for the key, typically 2048 (RSA) or 256 (ECC) + \param curveId use one of the accepted TPM_ECC_CURVE values like TPM_ECC_NIST_P256 (only used when alg=TPM_ALG_ECC) + \param nameAlg integer value of TPMI_ALG_HASH type, specifying a valid TPM2 hashing algorithm (typically TPM_ALG_SHA256) + \param highRange integer value: 0=low range, 1=high range + + \sa wolfTPM2_GetKeyTemplate_ECC_EK + \sa wolfTPM2_GetKeyTemplate_RSA_SRK + \sa wolfTPM2_GetKeyTemplate_RSA_AIK + \sa wolfTPM2_GetKeyTemplate_EKIndex +*/ +WOLFTPM_API int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, + int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange); + +/*! + \ingroup wolfTPM2_Wrappers + \brief Helper to get the Endorsement public key template by NV index + + \return TPM_RC_SUCCESS: successful + \return BAD_FUNC_ARG: check the provided arguments + + \param nvIndex handle for NV index. Typically starting from TPM_20_TCG_NV_SPACE + \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template + + \sa wolfTPM2_GetKeyTemplate_EK + \sa wolfTPM2_GetKeyTemplate_ECC_EK + \sa wolfTPM2_GetKeyTemplate_RSA_SRK + \sa wolfTPM2_GetKeyTemplate_RSA_AIK +*/ +WOLFTPM_API int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex, + TPMT_PUBLIC* publicTemplate); + /*! \ingroup wolfTPM2_Wrappers \brief Prepares a TPM public template for generating the TPM Endorsement Key of RSA type @@ -2687,6 +2723,7 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template + \sa wolfTPM2_GetKeyTemplate_EK \sa wolfTPM2_GetKeyTemplate_ECC_EK \sa wolfTPM2_GetKeyTemplate_RSA_SRK \sa wolfTPM2_GetKeyTemplate_RSA_AIK @@ -2702,6 +2739,7 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate); \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template + \sa wolfTPM2_GetKeyTemplate_EK \sa wolfTPM2_GetKeyTemplate_RSA_EK \sa wolfTPM2_GetKeyTemplate_ECC_SRK \sa wolfTPM2_GetKeyTemplate_ECC_AIK From 65d0e6aa7603a628a43776302ea44183d4f17fc6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 26 Jul 2024 14:38:29 -0700 Subject: [PATCH 2/3] Documentation and minor fixes. Tested with older SLB9670 and ST33TPH. --- README.md | 7 + examples/endorsement/README.md | 23 ++- examples/endorsement/get_ek_certs.c | 58 +++--- examples/endorsement/trusted_certs.h | 281 +++++++++++++++++++++++++++ 4 files changed, 338 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 8a9835de..5b4265c3 100644 --- a/README.md +++ b/README.md @@ -824,6 +824,13 @@ Connection: close ``` +### TPM Endorsement Key Certificates + +The TCG EK Credential Profile defines how manfactures provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE). +The `get_ek_certs` example show how to retrieve those EK cerificates, validate them and create a primary EK handle for signing key. +See `./examples/endorsement/get_ek_certs`. + + ## Todo * Update to v1.59 of specification (adding CertifyX509). diff --git a/examples/endorsement/README.md b/examples/endorsement/README.md index 47989946..5e0856c5 100644 --- a/examples/endorsement/README.md +++ b/examples/endorsement/README.md @@ -1,12 +1,27 @@ # TPM Endorsement Certificates -The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region. - TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement. +The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region. + We have loaded some of the root and intermediate CA's into the trusted_certs.h file. -## Infineon SLB9672 EK Certificate Chain +## Example Detail + +1) Get handles in the TCG NV range using `wolfTPM2_GetHandles` with `TPM_20_TCG_NV_SPACE`. +2) Get size of the certificate by reading the public NV information using `wolfTPM2_NVReadPublic`. +3) Read the NV data (certificate DER/ASN.1) from the NV index using `wolfTPM2_NVReadAuth`. +4) Get the EK public template using the NV index by calling `wolfTPM2_GetKeyTemplate_EKIndex` or `wolfTPM2_GetKeyTemplate_EK`. +5) Create the primary endorsement key with public template and TPM_RH_ENDORSEMENT hierarchy using `wolfTPM2_CreatePrimaryKey`. +6) Parse the ASN.1/DER certificate using `wc_ParseCert` to extract issuer, serial number, etc... +7) The URI for the CA issuer certificate can be obtained in `extAuthInfoCaIssuer`. +8) Import the certificate public key and compare it against the primary EK public unique area. +9) Use the wolfSSL Certificate Manager to validate the EK certificate. Trusted certificates are loaded using `wolfSSL_CertManagerLoadCABuffer` and the EK certificate is validated using `wolfSSL_CertManagerVerifyBuffer`. +10) Optionally covert to PEM and export using `wc_DerToPem`. + +## Example certificate chains + +### Infineon SLB9672 Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number): @@ -21,7 +36,7 @@ Examples: - Infineon OPTIGA(TM) ECC Root CA 2 - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059 -## STMicro ST33KTPM EK Certificate Chain +### STMicro ST33KTPM Example: diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c index a980e57a..cf38716c 100644 --- a/examples/endorsement/get_ek_certs.c +++ b/examples/endorsement/get_ek_certs.c @@ -223,39 +223,40 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) for (nvIdx=0; nvIdx<(int)handles.count; nvIdx++) { nvIndex = handles.handle[nvIdx]; + XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */ + XMEMSET(certBuf, 0, sizeof(certBuf)); + printf("TCG Handle 0x%x\n", nvIndex); - /* Read Public portion of NV */ + /* Get Endorsement Public Key template using NV index */ + rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate); + if (rc != 0) { + printf("EK Index 0x%08x not valid\n", nvIndex); + continue; + } + + /* Read Public portion of NV to get actual size */ rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic); if (rc != 0) { printf("Failed to read public for NV Index 0x%08x\n", nvIndex); - continue; } /* Read data */ - XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */ - XMEMSET(certBuf, 0, sizeof(certBuf)); - certSz = (uint32_t)sizeof(certBuf); - if (certSz > nvPublic.dataSize) { - certSz = nvPublic.dataSize; - } - rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0); if (rc == 0) { - #ifdef DEBUG_WOLFTPM - printf("EK Data: %d\n", certSz); - TPM2_PrintBin(certBuf, certSz); - #endif + certSz = (uint32_t)sizeof(certBuf); + if (certSz > nvPublic.dataSize) { + certSz = nvPublic.dataSize; + } + rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0); + if (rc == 0) { + #ifdef DEBUG_WOLFTPM + printf("EK Data: %d\n", certSz); + TPM2_PrintBin(certBuf, certSz); + #endif + } } /* Create Endorsement Key */ - if (rc == 0) { - /* Get Endorsement Public Key template using NV index */ - rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate); - if (rc != 0) { - printf("EK Index 0x%08x not valid\n", nvIndex); - rc = BAD_FUNC_ARG; - } - } if (rc == 0) { /* Create Endorsement Key using EK auth policy */ printf("Creating Endorsement Key\n"); @@ -324,12 +325,14 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) } } else { - printf("Error importing certificates public key! %d\n", rc); + printf("Error importing certificates public key! %s (%d)\n", + TPM2_GetRCString(rc), rc); + rc = 0; /* ignore error */ } } else { - printf("Error parsing certificate 0x%x: %s\n", - rc, TPM2_GetRCString(rc)); + printf("Error parsing certificate! %s (%d)\n", + TPM2_GetRCString(rc), rc); } wc_FreeDecodedCert(&cert); @@ -345,8 +348,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) #ifdef WOLFSSL_DER_TO_PEM /* Convert certificate to PEM and display */ - rc = wc_DerToPemEx(certBuf, certSz, NULL, 0, NULL, CERT_TYPE); - if (rc > 0) { + rc = wc_DerToPem(certBuf, certSz, NULL, 0, CERT_TYPE); + if (rc > 0) { /* returns actual PEM size */ pemSz = (word32)rc; rc = 0; @@ -359,7 +362,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) if (rc == 0) { XMEMSET(pem, 0, pemSz); rc = wc_DerToPem(certBuf, certSz, (byte*)pem, pemSz, CERT_TYPE); - if (rc > 0) { + if (rc > 0) { /* returns actual PEM size */ + pemSz = (word32)rc; rc = 0; } } diff --git a/examples/endorsement/trusted_certs.h b/examples/endorsement/trusted_certs.h index af809e71..004e7367 100644 --- a/examples/endorsement/trusted_certs.h +++ b/examples/endorsement/trusted_certs.h @@ -65,6 +65,76 @@ static const char* trusted_certs[] = { "OyD3mUxh8uFPhavNYLdFtrwguXqTVyZcZB+D\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jul 25 23:59:59 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G\n" + "A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo\n" + "VE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv\n" + "b3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG\n" + "EwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL\n" + "DBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU\n" + "TSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2\n" + "GM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe\n" + "Om8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud\n" + "DgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T\n" + "AQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk\n" + "MAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+\n" + "+O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) ECC Manufacturing CA 004 + * Issuer: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP256R1, SHA2-256 + * Validity: Nov 24 15:50:15 2034 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDRzCCAs2gAwIBAgIEfqIJfTAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND\n" + "IFJvb3QgQ0EwHhcNMTQxMTI0MTU1MDE1WhcNMzQxMTI0MTU1MDE1WjCBgzELMAkG\n" + "A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEaMBgG\n" + "A1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9QVElH\n" + "QShUTSkgRUNDIE1hbnVmYWN0dXJpbmcgQ0EgMDA0MFkwEwYHKoZIzj0CAQYIKoZI\n" + "zj0DAQcDQgAEU4vVtCu+sc2VldUl0QToWhbfRiAhumb2S3Seqm1P56agXPJsXw2h\n" + "ssA8ic0Jw7h1bGpM6+EzNBesTpGksBYuLqOCATgwggE0MFcGCCsGAQUFBwEBBEsw\n" + "STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhRWNj\n" + "Um9vdENBL09wdGlnYUVjY1Jvb3RDQS5jcnQwHQYDVR0OBBYEFL1sacB1nqqV3W0V\n" + "bqZBcMS5s2x4MA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG\n" + "A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVj\n" + "Y1Jvb3RDQS9PcHRpZ2FFY2NSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB\n" + "FAEwHwYDVR0jBBgwFoAUtBiFyEpKxRJ68kA53sT1ix5+StEwEAYDVR0lBAkwBwYF\n" + "Z4EFCAEwCgYIKoZIzj0EAwMDaAAwZQIwTJ3astNZ2hyRMPG3RO1BeKieoANrv0jr\n" + "n5GONNPGZ11mVZYgFVSiheBZ9xqOFMvZAjEA9Qk+Dwmei1FuY/ztnGeRLw7bJ7lo\n" + "u+rdhyvlzIO6aI8x5wgJsbcX6ST5QEncz99t\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 042 + * Issuer: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP256R1, SHA2-384 + * Validity: Feb 8 15:39:27 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDOjCCAr+gAwIBAgIEGVn1IzAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND\n" + "IFJvb3QgQ0EwHhcNMjMwMjA4MTUzOTI3WhcNNDMwMjA4MTUzOTI3WjB2MQswCQYD\n" + "VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYD\n" + "VQQLDApPUFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQ\n" + "TSAyLjAgRUNDIENBIDA0MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHy6yq3F\n" + "3TCvBXY63AGJzHxRf45Gipj7C+W9mnAyz3LAEMTIVBtS4XcvHR6oQBt7RRvrpwLe\n" + "TJjg1Ngg0F4zHPGjggE4MIIBNDBXBggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAKG\n" + "O2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVjY1Jvb3RDQS9PcHRpZ2FF\n" + "Y2NSb290Q0EuY3J0MB0GA1UdDgQWBBSxHzPMpgZWuiWcLpBaO1Q/UkSXkTAOBgNV\n" + "HQ8BAf8EBAMCAAYwEgYDVR0TAQH/BAgwBgEB/wIBADBMBgNVHR8ERTBDMEGgP6A9\n" + "hjtodHRwOi8vcGtpLmluZmluZW9uLmNvbS9PcHRpZ2FFY2NSb290Q0EvT3B0aWdh\n" + "RWNjUm9vdENBLmNybDAVBgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaA\n" + "FLQYhchKSsUSevJAOd7E9YsefkrRMBAGA1UdJQQJMAcGBWeBBQgBMAoGCCqGSM49\n" + "BAMDA2kAMGYCMQCyjrqHq1qqHCQQ14dvBtqUT90XuvfSOwE6Hda3GlIa9FdYC4Ue\n" + "AVJ/CuRKHi/VQSkCMQDc+HAcnipcopZBsa/jPV6Y6YdgnVCcDY0tdwtaeQgGNBRz\n" + "GRt1rxF2x8QNOKB9f28=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) RSA Root CA 2 * Algorithms: RSA 4096-bit, SHA2-256 * Validity: Nov 22 23:59:59 2054 GMT */ @@ -145,6 +215,119 @@ static const char* trusted_certs[] = { "Q6kr1MlRyGqkQFTEeOHGI0PngcLQJzKYfjHDDEZ+GA==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 4096-bit, SHA2-256 + * Validity: Jul 25 23:59:59 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFqzCCA5OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgUlNB\n" + "IFJvb3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYD\n" + "VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYD\n" + "VQQLDBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElH\n" + "QShUTSkgUlNBIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n" + "AQC7E+gc0B5T7awzux66zMMZMTtCkPqGv6a3NVx73ICg2DSwnipFwBiUl9soEodn\n" + "25SVVN7pqmvKA2gMTR5QexuYS9PPerfRZrBY00xyFx84V+mIRPg4YqUMLtZBcAwr\n" + "R3GO6cffHp20SBH5ITpuqKciwb0v5ueLdtZHYRPq1+jgy58IFY/vACyF/ccWZxUS\n" + "JRNSe4ruwBgI7NMWicxiiWQmz1fE3e0mUGQ1tu4M6MpZPxTZxWzN0mMz9noj1oIT\n" + "ZUnq/drN54LHzX45l+2b14f5FkvtcXxJ7OCkI7lmWIt8s5fE4HhixEgsR2RX5hzl\n" + "8XiHiS7uD3pQhBYSBN5IBbVWREex1IUat5eAOb9AXjnZ7ivxJKiY/BkOmrNgN8k2\n" + "7vOS4P81ix1GnXsjyHJ6mOtWRC9UHfvJcvM3U9tuU+3dRfib03NGxSPnKteL4SP1\n" + "bdHfiGjV3LIxzFHOfdjM2cvFJ6jXg5hwXCFSdsQm5e2BfT3dWDBSfR4h3Prpkl6d\n" + "cAyb3nNtMK3HR5yl6QBuJybw8afHT3KRbwvOHOCR0ZVJTszclEPcM3NQdwFlhqLS\n" + "ghIflaKSPv9yHTKeg2AB5q9JSG2nwSTrjDKRab225+zJ0yylH5NwxIBLaVHDyAEu\n" + "81af+wnm99oqgvJuDKSQGyLf6sCeuy81wQYO46yNa+xJwQIDAQABo0IwQDAdBgNV\n" + "HQ4EFgQU3LtWq/EY/KaadREQZYQSntVBkrkwDgYDVR0PAQH/BAQDAgAGMA8GA1Ud\n" + "EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGHTBUx3ETIXYJsaAgb2pyyN\n" + "UltVL2bKzGMVSsnTCrXUU8hKrDQh3jNIMrS0d6dU/fGaGJvehxmmJfjaN/IFWA4M\n" + "BdZEnpAe2fJEP8vbLa/QHVfsAVuotLD6QWAqeaC2txpxkerveoV2JAwj1jrprT4y\n" + "rkS8SxZuKS05rYdlG30GjOKTq81amQtGf2NlNiM0lBB/SKTt0Uv5TK0jIWbz2WoZ\n" + "gGut7mF0md1rHRauWRcoHQdxWSQTCTtgoQzeBj4IS6N3QxQBKV9LL9UWm+CMIT7Y\n" + "np8bSJ8oW4UdpSuYWe1ZwSjZyzDiSzpuc4gTS6aHfMmEfoVwC8HN03/HD6B1Lwo2\n" + "DvEaqAxkya9IYWrDqkMrEErJO6cqx/vfIcfY/8JYmUJGTmvVlaODJTwYwov/2rjr\n" + "la5gR+xrTM7dq8bZimSQTO8h6cdL6u+3c8mGriCQkNZIZEac/Gdn+KwydaOZIcnf\n" + "Rdp3SalxsSp6cWwJGE4wpYKB2ClM2QF3yNQoTGNwMlpsxnU72ihDi/RxyaRTz9OR\n" + "pubNq8Wuq7jQUs5U00ryrMCZog1cxLzyfZwwCYh6O2CmbvMoydHNy5CU3ygxaLWv\n" + "JpgZVHN103npVMR3mLNa3QE+5MFlBlP3Mmystu8iVAKJas39VO5y5jad4dRLkwtM\n" + "6sJa8iBpdRjZrBp5sJBI\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) RSA Manufacturing CA 004 + * Issuer: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Nov 24 15:39:16 2034 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFszCCA5ugAwIBAgIEIe/JKTANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE\n" + "RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n" + "UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg\n" + "UlNBIFJvb3QgQ0EwHhcNMTQxMTI0MTUzOTE2WhcNMzQxMTI0MTUzOTE2WjCBgzEL\n" + "MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa\n" + "MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q\n" + "VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDA0MIIBIjANBgkqhkiG9w0B\n" + "AQEFAAOCAQ8AMIIBCgKCAQEAhFAEamE+AGtKlpCDU1ILU3NUVjkrU2MiD+RcYM44\n" + "/+t6Ho90lVLIarwpjUC9E6skZDwSfjDFv1yR+xJ6nnfK05PX6CcW4I6xIYsPLESQ\n" + "Pe988Ug9FoTvqgQ/yy+5Ru16xFNWWCCF1KgMwyxgaX2hnkUU7aOIVPD1pHS/17TN\n" + "6F2zl46OL8qX9z9yHi+DRtjWZrQhQQ6lvi+hU+fgtFKGUUdZL/jyZXALVMvTt9hO\n" + "o7HPJDbzAIfCY5TZQByTbUwN+61twPw3m8QzNI79GlDDewD2nVzomDJUvV02Dbrb\n" + "e+NiLnZ/jZcHzWmF0ERqXM/sNnsWxSx7ECQV9mb4LPscCwIDAQABo4IBODCCATQw\n" + "VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u\n" + "LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E\n" + "FgQUJjt0TYVBK65uE+lKU8I1GFuk7uwwDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB\n" + "/wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv\n" + "bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g\n" + "BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS\n" + "uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEANY49i1/+6S9J\n" + "VS/yaHfxn49uVFMwJNeM7Ez6sANMxZ6UlSW5tz1xcwBo9ysViyt9W45MmKbXz0jz\n" + "HQBTuq3jq+aDjYJAtpvlQoqARSa0P6hXPMYXXLas7z/DwUeWomV+iYczG067Swsh\n" + "jQ4WKtg3o4f82Zmd39oJpYgIbJJPC7KyaNuDionRw5fiVfgEPRmUsB1jQGWz/d/r\n" + "YWjFU6zr6kqrVoostGls6PXxfyYcw9iiMsHWgsekyW3q+4mDRSaLJMyixw1Vwfy0\n" + "TmYjrwg6hi9+JrIJpnFCb8aCjZvZ0JZj+tWgjGnmw0acej2SEFItMBz0UHQNXn0j\n" + "BLVYfu9RwulqFWd52pumJVHECoDEQn93MdzippYAqEE9kaEl5wt8cd+9uRCcBuy2\n" + "OPleKXWvuYEEjqH7SbBxHiZuqdHZvFkfRdSNc1dW7sKE6N4UZ+b8+UoCha2pUzE2\n" + "yYeE3dkv/E1K+6uq38Fe42Iz22hlZrEeA3aGrHopOFvUY2MOM8ksdDBwQZ5YzBQ4\n" + "HcD5RHrvsYUbkcPnnVVkN+M8IKJ+6LVowx3EG+ytzVixHrSVJ91ooG9ocD2vxZAU\n" + "bY8gLugWaRbOZkgYaHTj4Rjq3ZxuEPXEDKrSm7nUgMMlq5BDYhVzBWXrJtyYIv37\n" + "QHaD0AfWGx+CiPbtXWmvkhC+QLzYnWI=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042 + * Issuer: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Feb 8 15:28:15 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFpTCCA42gAwIBAgIEX/V0ezANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE\n" + "RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n" + "UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg\n" + "UlNBIFJvb3QgQ0EwHhcNMjMwMjA4MTUyODE1WhcNNDMwMjA4MTUyODE1WjB2MQsw\n" + "CQYDVQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMw\n" + "EQYDVQQLDApPUFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0p\n" + "IFRQTSAyLjAgUlNBIENBIDA0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAIVUeKYRnVu2bZCwKKd5zH3oOYz73J3ZPoMviq90y51mccnCiydAwR5k+uSr\n" + "NBjIUUVpQc11K005HbU42lA02XHBlchHVAd1rHPUp55Qvscsh/OU0MTV7Cb7LLnS\n" + "Mm9hD7K5bwdNjnSxD6gayoBwAOa5p23FBuqCiUPNzUD+1rtrkYyFD3t8WmnDbfxe\n" + "UWh5wWzIV0PGV7sKPOov+IXEfXFF+fWAwsGXTPi5+cibRLwoy88Rk/+vRLVxg0eZ\n" + "OnxH8B+qcpEIPmXfxbdGqUoY82icT1Nj1EjCjkyMTAxH5Q+8PVDHDjyRLNg+6aYt\n" + "MXYTX0D6MxhobOVjYLgZAnQPlkcCAwEAAaOCATgwggE0MFcGCCsGAQUFBwEBBEsw\n" + "STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhUnNh\n" + "Um9vdENBL09wdGlnYVJzYVJvb3RDQS5jcnQwHQYDVR0OBBYEFF0IFZUfX2Bjimnn\n" + "JS8+xL7NdVSyMA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG\n" + "A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYVJz\n" + "YVJvb3RDQS9PcHRpZ2FSc2FSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB\n" + "FAEwHwYDVR0jBBgwFoAU3LtWq/EY/KaadREQZYQSntVBkrkwEAYDVR0lBAkwBwYF\n" + "Z4EFCAEwDQYJKoZIhvcNAQELBQADggIBAHvzvbu2R2CTigvQNVNIBD+10puObvI7\n" + "p4n2u7ckS+RJaaFYysnC939IexEzqMHgZOSGJD2Fzq9Yqa2gMHzgsnzdj1V4ssfz\n" + "GEboIVJ3nhItIqgVj0HXfQrb1JXU7noI+db87MGA0gfLG52wqTI26gqZtb9GH6JB\n" + "y6OIL8NvmrRUpgOb6r0ltAhmIDnQz73M7qW0j1Y/OKa3M8T8QVSdbDeNydH2eSck\n" + "NzvbkeZED63YPcztxMGqZ3kL1NfzGHqtPvjlS53kQ4k+uvU42X4uzldBsXaByXMK\n" + "gjQKaEgG64lCLafQWB3KjgF6U37oHQ3GvCOeR6HZx/MOZXr9+T6ZzdVQJPZcIPu2\n" + "9dhftbLYYKlnkSab8JwPX1cpXJL+xMqd6Bjpr044iOTrD/Hjqck+QvhCt2pSpB4e\n" + "72z21KboAFb6xLUYf8KIvnhY9XFeBGpLabKn1Gq79x4BLsXJQuuQ8bmwWDa+e+F5\n" + "rb16CgnTvwMJE8+B0hOdk+/40whTwVwc7OlAwkRHiVKfPw7JOP4pyOV0QIlyWLcH\n" + "2yg7raQFCjdtnvIX0Eq3RDwFk6b9hK3+89uIuA8/uW3bY5HuJEQd0bWZoeD2WBHf\n" + "V9iAx0TwwBsEPrHwQxB6uktXjqCKk1PJAtaiAB6hFQpe26gAopXnxA6ezpgMKGVt\n" + "e1NOreRnWJCu\n" + "-----END CERTIFICATE-----\n", + /* ---------------------------------------------------------------*/ /* STMicroelectronics NV */ @@ -218,6 +401,48 @@ static const char* trusted_certs[] = { "3QJ/mdWzkS8U0LlHNOV2Lb9PF4B10A==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=STM TPM ECC Root CA 01 + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jan 19 03:14:07 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICyDCCAk+gAwIBAgIORyzLp/OdsAvb9r+66LowCgYIKoZIzj0EAwMwgYsxOzA5\n" + "BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg\n" + "QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTcwNQYDVQQDEy5HbG9iYWxT\n" + "aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVDQyBSb290IENBMB4XDTE1MTAy\n" + "ODAwMDAwMFoXDTM4MDExOTAzMTQwN1owTjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoT\n" + "FVNUTWljcm9lbGVjdHJvbmljcyBOVjEfMB0GA1UEAxMWU1RNIFRQTSBFQ0MgUm9v\n" + "dCBDQSAwMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABG7/OLXMiprQQHwNnkpT6aqG\n" + "zOGLcbbAgUtyjlXOZtuv0GB0ttJ6fwMwgFtt8RKlko8Bwn89/BoZOUcI4ne8ddRS\n" + "oqE6StnU3I13qqjalToq3Rnz61Omn6NErK1pxUe3j6OBtTCBsjAOBgNVHQ8BAf8E\n" + "BAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUIJJWPAtDqAVyUwMp\n" + "BxwH4OvsAwQwHwYDVR0jBBgwFoAUYT78EZkKf7CpW5CgJl4pYUe3MAMwTAYDVR0g\n" + "BEUwQzBBBgkrBgEEAaAyAVowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv\n" + "YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCgYIKoZIzj0EAwMDZwAwZAIwWnuUAzwy\n" + "vHUhHehymKTZ2QcPUwHX0LdcVTac4ohyEL3zcuv/dM0BN62kFxHgBOhWAjAIxt9i\n" + "50yAxy0Z/MeV2NTXqKpLwdhWNuzOSFZnzRKsh9MxY3zj8nebDNlHTDGSMR0=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STM TPM ECC Intermediate CA 02 + * Issuer: CN=STM TPM ECC Root CA 01 + * Algorithms: ECDSA SECP256R1, SHA2-384 + * Validity: Nov 22 00:00:00 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICZTCCAeygAwIBAgIEQAAAAjAKBggqhkjOPQQDAzBOMQswCQYDVQQGEwJDSDEe\n" + "MBwGA1UECgwVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR8wHQYDVQQDDBZTVE0gVFBN\n" + "IEVDQyBSb290IENBIDAxMB4XDTE4MTEyMjAwMDAwMFoXDTM4MTEyMjAwMDAwMFow\n" + "VjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoMFVNUTWljcm9lbGVjdHJvbmljcyBOVjEn\n" + "MCUGA1UEAwweU1RNIFRQTSBFQ0MgSW50ZXJtZWRpYXRlIENBIDAyMFkwEwYHKoZI\n" + "zj0CAQYIKoZIzj0DAQcDQgAE08t33aGM5M5aeBmzcn5H3HS31CGBJ2bbJ6fvJJ0i\n" + "VCfZrN9sesL0D+NGfwtEklk7mgT/2vfW2dO9OqsyukSw2aOBrzCBrDAdBgNVHQ4E\n" + "FgQUZi2PHOzf8UeotvDqKWr38kyt+c8wHwYDVR0jBBgwFoAUIJJWPAtDqAVyUwMp\n" + "BxwH4OvsAwQwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0\n" + "dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAPBgNVHQ8BAf8EBQMDAQQC\n" + "MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwMDZwAwZAIwJl4q6QuGhqQD\n" + "pvP1gBBu8OhbQAXL8Rwhg1FWs8BvC4VYt6Tqe9xLqjbtbgR8UOyvAjAhzSbC+r8A\n" + "2Wx1aOwAIqs1tmBXpofqcOXYeCSXKajOv5Jlzk6sDnEH2omN+ydt924=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE RSA Root CA 02 * Algorithms: RSA 4096-bit, SHA2-384 * Validity: Dec 31 00:00:00 9999 GMT */ @@ -295,6 +520,62 @@ static const char* trusted_certs[] = { "uKErQfPEhjYLdzF8/OYW7w==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=STM TPM EK Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Dec 31 23:59:59 2039 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIEDDCCAvSgAwIBAgILBAAAAAABIsFs834wDQYJKoZIhvcNAQELBQAwgYcxOzA5\n" + "BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg\n" + "QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTMwMQYDVQQDEypHbG9iYWxT\n" + "aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIFJvb3QgQ0EwHhcNMDkwNzI4MTIw\n" + "MDAwWhcNMzkxMjMxMjM1OTU5WjBKMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RN\n" + "aWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0gVFBNIEVLIFJvb3QgQ0Ew\n" + "ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxBLG5wcB9J0MsiJMreoWQ\n" + "l21bBN12SSGZPJ3HoPjzcrzAz6SPy+TrFmZ6eUVspsFL/23wdPprqTUtDHi+C2pw\n" + "k/3dF3/Rb2t/yHgiPlbCshYpi5f/rJ7nzbQ1ca2LzX3saBe53VfNQQV0zd5uM0DT\n" + "SrmAKU1RIAj2WlZFWXoN4NWTyRtqT5suPHa2y8FlCWMZKlS0FiY4pfM20b5YQ+EL\n" + "4zqb9zN53u/TdYZegrfSlc30Nl9G13Mgi+8rtPFKwsxx05EBbhVroH7aKVI1djsf\n" + "E1MVrUzw62PHik3xlzznXML8OjY//xKeiCWcsApuGCaIAf7TsTRi2l8DNB3rCr1X\n" + "AgMBAAGjgbQwgbEwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQEw\n" + "HQYDVR0OBBYEFG/mxWwHt2yLCoGSg1zLQR72jtEnMEsGA1UdIAREMEIwQAYJKwYB\n" + "BAGgMgFaMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQv\n" + "cmVwb3NpdG9yeS8wHwYDVR0jBBgwFoAUHiNj8IW19iVO7RrAUL5lfMfUFXowDQYJ\n" + "KoZIhvcNAQELBQADggEBAFrKpwFmRh7BGdpPZWc1Y6wIbdTAF6T+q1KwDJcyAjgJ\n" + "qThFp3xTAt3tvyVrCRf7T/YARYE24DNa0iFaXsIXeQASDYHJjAZ6LQTslYBeRYLb\n" + "C9v8ZE2ocKSCiC8ALYlJWk39Wob0H1Lk6l2zcUo3oKczGiAcRrlmwV496wvGyted\n" + "2RBcLZro7yhOOGr9KMabV14fNl0lG+31J1nWI2hgTqh53GXg1QH2YpggD3b7UbVm\n" + "c6GZaX37N3z15XfQafuAfHt10kYCNdePzC9tOwirHIsO8lrxoNlzOSxX8SqQGbBI\n" + "+kWoe5+SY3gdOGGDQKIdw3W1poMN8bQ5x7XFcgVMwVU=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STM TPM EK Intermediate CA 06 + * Issuer: CN=STM TPM EK Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Jan 1 00:00:00 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDzDCCArSgAwIBAgIEQAAABzANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD\n" + "SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g\n" + "VFBNIEVLIFJvb3QgQ0EwHhcNMTgxMDMxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBV\n" + "MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw\n" + "JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwNjCCASIwDQYJKoZI\n" + "hvcNAQEBBQADggEPADCCAQoCggEBAOvIjXBLbVBfIC7SFjcz4hm6R0IyuRJpJ45n\n" + "pYytlAHmoVosoT3isl52T4UB4T1r1b8y7Y+vW3Ed0sZO+m/pHtUc5h9050ynGedt\n" + "0uvuNZ1cVnX2h/XTcdKIawqEBVXRZQ5OJMp/aDlUwsUeBT+SlhAagNhmyNw2tC2a\n" + "b5d7qr8FU03Ds6io892aSD23z51yLAix121uUHIPmHByaZRnaKctTbu7ulwINlrd\n" + "cB953Z0WVQhil5yjZs14yd4yAnA3Z1ZW+mrOkr8ehVsUbvrUxyfhMInMrETIxR4R\n" + "9X5cTIVia2SVTtfqrb6XMC1/T7K1PH90QXtlt3WILMMNJhLDy+kCAwEAAaOBrjCB\n" + "qzAdBgNVHQ4EFgQU+xfXDXNIcOkZxOjmA5deZk4OQ94wHwYDVR0jBBgwFoAUb+bF\n" + "bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB\n" + "BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B\n" + "Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA\n" + "OiwipeVJ4yK/hBF6KgfcCUltlqmoPoHyffzfpPjNBeYqmdaRqxJdbY9FaSrcbJBA\n" + "hKRHfWYPCB03TnWstmfadgzbC/8mITx56Cb2EXpvYhrAu8G7a54h0sIhEloK/FAx\n" + "Zdgg3Y2tnPhihQ80xdqtaZRoXqjiqKq1p7IHwtQZiFCCCD1jny8qfZLCOYx50/mJ\n" + "QXk8WvzPl0xsAOhp5Id6OAeq/6dmwjUBpZBzhwmbnt5kX7OKnuoVr3H+8X1Zycz8\n" + "lq3znYqMaPWDTIQm6gnm//ahb9bBN0GL57fT6RuNy6jH7SRZYZ4zZRtAHyPogA/b\n" + "gbBsXr0NrHh671Y1j4cOYA==\n" + "-----END CERTIFICATE-----\n", + }; #endif /* WOLFTPM_TRUSTED_CERTS_H */ From 8f1e35a342a2f3f3ed49f3011caed2335ecabdb8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 26 Jul 2024 15:12:22 -0700 Subject: [PATCH 3/3] Peer review (spelling / grammar). --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5b4265c3..ca5c439c 100644 --- a/README.md +++ b/README.md @@ -826,8 +826,8 @@ Connection: close ### TPM Endorsement Key Certificates -The TCG EK Credential Profile defines how manfactures provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE). -The `get_ek_certs` example show how to retrieve those EK cerificates, validate them and create a primary EK handle for signing key. +The TCG EK Credential Profile defines how manufacturers provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE). +The `get_ek_certs` example shows how to retrieve those EK cerificates, validate them and create a primary EK handle for signing. See `./examples/endorsement/get_ek_certs`.