Support for getting TPM EK Certificates. Added wolfTPM2_GetKeyTemplate_EK and wolfTPM2_GetKeyTemplate_EK API's for getting EK public templates for generating the EK primary key. Fix TLS example build issues with wolfSSL not having crypto callback or PK callback enabled.

Author: dgarske

.gitignore

@@ -79,6 +79,7 @@ examples/boot/secret_seal
 examples/boot/secret_unseal
 examples/firmware/ifx_fw_extract
 examples/firmware/ifx_fw_update
+examples/endorsement/get_ek_certs
 
 # Generated Cert Files
 certs/ca-*.pem

README.md

@@ -34,6 +34,7 @@ Portable TPM 2.0 project designed for embedded use.
 * Parameter encryption support using AES-CFB or XOR.
 * Support for salted unbound authenticated sessions.
 * Support for HMAC Sessions.
+* Support for reading Endorsement certificates (EK Credential Profile).
 
 Note: See [examples/README.md](examples/README.md) for details on using the examples.
 
@@ -168,7 +169,7 @@ make install
 # then for some other library such as wolfTPM:
 
 # cd /your-wolftpm-repo
-./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin 
+./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin
 ```
 
 ### Build options and defines
@@ -825,7 +826,6 @@ Connection: close
 
 ## Todo
 
-* Add support for Endorsement certificates (EK Credential Profile).
 * Update to v1.59 of specification (adding CertifyX509).
 * Inner wrap support for SensitiveToPrivate.
 * Add support for IRQ (interrupt line)

examples/endorsement/README.md

@@ -0,0 +1,31 @@
+# TPM Endorsement Certificates
+
+The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region.
+
+TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement.
+
+We have loaded some of the root and intermediate CA's into the trusted_certs.h file.
+
+## Infineon SLB9672 EK Certificate Chain
+
+Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number):
+
+https://pki.infineon.com/OptigaRsaMfrCAxxx/OptigaRsaMfrCAxxx.crt
+https://pki.infineon.com/OptigaEccMfrCAxxx/OptigaEccMfrCAxxx.crt
+
+
+Examples:
+
+- Infineon OPTIGA(TM) RSA Root CA 2
+  - Infineon OPTIGA(TM) TPM 2.0 RSA CA 059
+- Infineon OPTIGA(TM) ECC Root CA 2
+  - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059
+
+## STMicro ST33KTPM EK Certificate Chain
+
+Example:
+
+- STSAFE RSA root CA 02 (http://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt)
+  - STSAFE-TPM RSA intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmrsaint10.crt)
+- STSAFE ECC root CA 02 (http://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt)
+  - STSAFE-TPM ECC intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmeccint10.crt)

examples/endorsement/endorsement.h

@@ -0,0 +1,35 @@
+/* endorsement.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef _WOLFTPM_ENDORSEMENT_H_
+#define _WOLFTPM_ENDORSEMENT_H_
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]);
+
+#ifdef __cplusplus
+    }  /* extern "C" */
+#endif
+
+#endif /* _WOLFTPM_ENDORSEMENT_H_ */