Documentation and minor fixes. Tested with older SLB9670 and ST33TPH.

dgarske · dgarske · commit 65d0e6aa7603 · 2024-07-26T14:38:29.000-07:00
diff --git a/README.md b/README.md
@@ -824,6 +824,13 @@ Connection: close
 ```
 
 
+### TPM Endorsement Key Certificates
+
+The TCG EK Credential Profile defines how manfactures provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE).
+The `get_ek_certs` example show how to retrieve those EK cerificates, validate them and create a primary EK handle for signing key.
+See `./examples/endorsement/get_ek_certs`.
+
+
 ## Todo
 
 * Update to v1.59 of specification (adding CertifyX509).
diff --git a/examples/endorsement/README.md b/examples/endorsement/README.md
@@ -1,12 +1,27 @@
 # TPM Endorsement Certificates
 
-The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region.
-
 TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement.
 
+The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region.
+
 We have loaded some of the root and intermediate CA's into the trusted_certs.h file.
 
-## Infineon SLB9672 EK Certificate Chain
+## Example Detail
+
+1) Get handles in the TCG NV range using `wolfTPM2_GetHandles` with `TPM_20_TCG_NV_SPACE`.
+2) Get size of the certificate by reading the public NV information using `wolfTPM2_NVReadPublic`.
+3) Read the NV data (certificate DER/ASN.1) from the NV index using `wolfTPM2_NVReadAuth`.
+4) Get the EK public template using the NV index by calling `wolfTPM2_GetKeyTemplate_EKIndex` or `wolfTPM2_GetKeyTemplate_EK`.
+5) Create the primary endorsement key with public template and TPM_RH_ENDORSEMENT hierarchy using `wolfTPM2_CreatePrimaryKey`.
+6) Parse the ASN.1/DER certificate using `wc_ParseCert` to extract issuer, serial number, etc...
+7) The URI for the CA issuer certificate can be obtained in `extAuthInfoCaIssuer`.
+8) Import the certificate public key and compare it against the primary EK public unique area.
+9) Use the wolfSSL Certificate Manager to validate the EK certificate. Trusted certificates are loaded using `wolfSSL_CertManagerLoadCABuffer` and the EK certificate is validated using `wolfSSL_CertManagerVerifyBuffer`.
+10) Optionally covert to PEM and export using `wc_DerToPem`.
+
+## Example certificate chains
+
+### Infineon SLB9672
 
 Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number):
 
@@ -21,7 +36,7 @@ Examples:
 - Infineon OPTIGA(TM) ECC Root CA 2
   - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059
 
-## STMicro ST33KTPM EK Certificate Chain
+### STMicro ST33KTPM
 
 Example:
 
diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c
@@ -223,39 +223,40 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     for (nvIdx=0; nvIdx<(int)handles.count; nvIdx++) {
         nvIndex = handles.handle[nvIdx];
 
+        XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */
+        XMEMSET(certBuf, 0, sizeof(certBuf));
+
         printf("TCG Handle 0x%x\n", nvIndex);
 
-        /* Read Public portion of NV */
+        /* Get Endorsement Public Key template using NV index */
+        rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
+        if (rc != 0) {
+            printf("EK Index 0x%08x not valid\n", nvIndex);
+            continue;
+        }
+
+        /* Read Public portion of NV to get actual size */
         rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
         if (rc != 0) {
             printf("Failed to read public for NV Index 0x%08x\n", nvIndex);
-            continue;
         }
 
         /* Read data */
-        XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */
-        XMEMSET(certBuf, 0, sizeof(certBuf));
-        certSz = (uint32_t)sizeof(certBuf);
-        if (certSz > nvPublic.dataSize) {
-            certSz = nvPublic.dataSize;
-        }
-        rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0);
         if (rc == 0) {
-        #ifdef DEBUG_WOLFTPM
-            printf("EK Data: %d\n", certSz);
-            TPM2_PrintBin(certBuf, certSz);
-        #endif
+            certSz = (uint32_t)sizeof(certBuf);
+            if (certSz > nvPublic.dataSize) {
+                certSz = nvPublic.dataSize;
+            }
+            rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0);
+            if (rc == 0) {
+            #ifdef DEBUG_WOLFTPM
+                printf("EK Data: %d\n", certSz);
+                TPM2_PrintBin(certBuf, certSz);
+            #endif
+            }
         }
 
         /* Create Endorsement Key */
-        if (rc == 0) {
-            /* Get Endorsement Public Key template using NV index */
-            rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
-            if (rc != 0) {
-                printf("EK Index 0x%08x not valid\n", nvIndex);
-                rc = BAD_FUNC_ARG;
-            }
-        }
         if (rc == 0) {
             /* Create Endorsement Key using EK auth policy */
             printf("Creating Endorsement Key\n");
@@ -324,12 +325,14 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
                     }
                 }
                 else {
-                    printf("Error importing certificates public key! %d\n", rc);
+                    printf("Error importing certificates public key! %s (%d)\n",
+                        TPM2_GetRCString(rc), rc);
+                    rc = 0; /* ignore error */
                 }
             }
             else {
-                printf("Error parsing certificate 0x%x: %s\n",
-                    rc, TPM2_GetRCString(rc));
+                printf("Error parsing certificate! %s (%d)\n",
+                    TPM2_GetRCString(rc), rc);
             }
             wc_FreeDecodedCert(&cert);
 
@@ -345,8 +348,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
 
         #ifdef WOLFSSL_DER_TO_PEM
             /* Convert certificate to PEM and display */
-            rc = wc_DerToPemEx(certBuf, certSz, NULL, 0, NULL, CERT_TYPE);
-            if (rc > 0) {
+            rc = wc_DerToPem(certBuf, certSz, NULL, 0, CERT_TYPE);
+            if (rc > 0) { /* returns actual PEM size */
                 pemSz = (word32)rc;
                 rc = 0;
 
@@ -359,7 +362,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             if (rc == 0) {
                 XMEMSET(pem, 0, pemSz);
                 rc = wc_DerToPem(certBuf, certSz, (byte*)pem, pemSz, CERT_TYPE);
-                if (rc > 0) {
+                if (rc > 0) { /* returns actual PEM size */
+                    pemSz = (word32)rc;
                     rc = 0;
                 }
             }
diff --git a/examples/endorsement/trusted_certs.h b/examples/endorsement/trusted_certs.h
