Public key from TSS2 private key with OpenSSL 3.0.0-beta2

Fri Aug 6 20:23:26 UTC 2021

Dear Dmitry,

I just submitted a new issue, #16256.

Thank you,

Nestor Melo
________________________________
From: Dmitry Belyavsky <beldmit at gmail.com>
Sent: Friday, August 6, 2021 12:21 PM
To: Nestor Melo <Nestor.Melo at zpesystems.com>
Cc: openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: Public key from TSS2 private key with OpenSSL 3.0.0-beta2

Dear Nestor,

Could you please fill an issue on GitHub?
It's much simpler for us to follow the issues there.

On Fri, Aug 6, 2021 at 9:13 PM Nestor Melo <Nestor.Melo at zpesystems.com<mailto:Nestor.Melo at zpesystems.com>> wrote:
Greetings,

We use a TPM2 device to generate private keys with tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine

While attempting to extract the public key from a TSS2 private key using OpenSSL 3.0.0-beta2 and tpm2-tss-engine, I received a message "PEM format not supported":

openssl rsa -engine libtpm2tss -inform engine -in privkey.pem -pubout -outform PEM -out pubkey.pem
Engine "tpm2tss" set.
writing RSA key
PEM format not supported

Although it is recommended to use providers instead of engines with OpenSSL 3.0.0, are engines still supported? Should the above operation be expected to work?

Here is an example of a private key was generated with tpm2-tss-engine's tpm2tss-genkey:
-----BEGIN TSS2 PRIVATE KEY-----
MIIB8gYGZ4EFCgEDoAMBAQECBEAAAAEEggEYARYAAQALAAYEcgAAABAAEAgAAAEA
AQEAmT8O+ikRX5eTRUsDXrBAephW1YLEITkKxviFzIxF7R1K1jlDIXI8PKhc6tUE
sEDfgTNtldmc3nxPmJBxeAzIQrGAAUjGY74xtvbe6T6muU9FHGVpw1e3LelewFCQ
yR+t36GaOBY+S4Bc0DC0KhSoFakiwYt2vtQvm0W54cwxg7B4aSfcBUNHFPB5J90c
ere/o20QpNvb7mw/kwvoTSzsyQT5qMZALKZeRFZ42991dGWJpnfC30xieXCMoD7z
x5hhc5Uf5EbFtxeWaT2HTfs0h0OxigQSjXdmCJPeJVoMPOoF2FK+PbZwPn2UDKyo
SqhsmZ+9hvkUWylDYiXfm24TUwSBwAC+ACDJpk4p0h4Q3UEtwph3oNy5xR7hya4S
XHqabuThC+xX1AAQDTukmp9lruULdnZALN1Lyw1AMw+7F2BBx786jjOmg9rX+umB
ffGZSs187UAjmfe98XUk9oNsZkgB7HEsDRIOXoET+9R0KI48whV3Z/Kwag+UmErL
KRTOl5zEUenbQi8/CBDVpuxKMyKl6tYc38iNh2rA8Eju9tv+x6kPv/5/JxmXSpgQ
rCSHxBQFxnnITejU/RMqCHMZpCly2A==
-----END TSS2 PRIVATE KEY-----

If I use instead the TPM2 provider tpm2-openssl
https://github.com/tpm2-software/tpm2-openssl

the command
openssl rsa -provider tpm2 -in privkey.pem -pubout -outform PEM -out pubkey.pem

works, producing:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmT8O+ikRX5eTRUsDXrBA
ephW1YLEITkKxviFzIxF7R1K1jlDIXI8PKhc6tUEsEDfgTNtldmc3nxPmJBxeAzI
QrGAAUjGY74xtvbe6T6muU9FHGVpw1e3LelewFCQyR+t36GaOBY+S4Bc0DC0KhSo
FakiwYt2vtQvm0W54cwxg7B4aSfcBUNHFPB5J90cere/o20QpNvb7mw/kwvoTSzs
yQT5qMZALKZeRFZ42991dGWJpnfC30xieXCMoD7zx5hhc5Uf5EbFtxeWaT2HTfs0
h0OxigQSjXdmCJPeJVoMPOoF2FK+PbZwPn2UDKyoSqhsmZ+9hvkUWylDYiXfm24T
UwIDAQAB
-----END PUBLIC KEY-----

Thank you,

Nestor Melo

--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210806/b59ae749/attachment.html>