diff --git a/README.md b/README.md index 8a9835d..5b4265c 100644 --- a/README.md +++ b/README.md @@ -824,6 +824,13 @@ Connection: close ``` +### TPM Endorsement Key Certificates + +The TCG EK Credential Profile defines how manfactures provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE). +The `get_ek_certs` example show how to retrieve those EK cerificates, validate them and create a primary EK handle for signing key. +See `./examples/endorsement/get_ek_certs`. + + ## Todo * Update to v1.59 of specification (adding CertifyX509). diff --git a/examples/endorsement/README.md b/examples/endorsement/README.md index 4798994..5e0856c 100644 --- a/examples/endorsement/README.md +++ b/examples/endorsement/README.md @@ -1,12 +1,27 @@ # TPM Endorsement Certificates -The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region. - TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement. +The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region. + We have loaded some of the root and intermediate CA's into the trusted_certs.h file. -## Infineon SLB9672 EK Certificate Chain +## Example Detail + +1) Get handles in the TCG NV range using `wolfTPM2_GetHandles` with `TPM_20_TCG_NV_SPACE`. +2) Get size of the certificate by reading the public NV information using `wolfTPM2_NVReadPublic`. +3) Read the NV data (certificate DER/ASN.1) from the NV index using `wolfTPM2_NVReadAuth`. +4) Get the EK public template using the NV index by calling `wolfTPM2_GetKeyTemplate_EKIndex` or `wolfTPM2_GetKeyTemplate_EK`. +5) Create the primary endorsement key with public template and TPM_RH_ENDORSEMENT hierarchy using `wolfTPM2_CreatePrimaryKey`. +6) Parse the ASN.1/DER certificate using `wc_ParseCert` to extract issuer, serial number, etc... +7) The URI for the CA issuer certificate can be obtained in `extAuthInfoCaIssuer`. +8) Import the certificate public key and compare it against the primary EK public unique area. +9) Use the wolfSSL Certificate Manager to validate the EK certificate. Trusted certificates are loaded using `wolfSSL_CertManagerLoadCABuffer` and the EK certificate is validated using `wolfSSL_CertManagerVerifyBuffer`. +10) Optionally covert to PEM and export using `wc_DerToPem`. + +## Example certificate chains + +### Infineon SLB9672 Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number): @@ -21,7 +36,7 @@ Examples: - Infineon OPTIGA(TM) ECC Root CA 2 - Infineon OPTIGA(TM) TPM 2.0 ECC CA 059 -## STMicro ST33KTPM EK Certificate Chain +### STMicro ST33KTPM Example: diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c index a980e57..cf38716 100644 --- a/examples/endorsement/get_ek_certs.c +++ b/examples/endorsement/get_ek_certs.c @@ -223,39 +223,40 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) for (nvIdx=0; nvIdx<(int)handles.count; nvIdx++) { nvIndex = handles.handle[nvIdx]; + XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */ + XMEMSET(certBuf, 0, sizeof(certBuf)); + printf("TCG Handle 0x%x\n", nvIndex); - /* Read Public portion of NV */ - rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic); + /* Get Endorsement Public Key template using NV index */ + rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate); if (rc != 0) { - printf("Failed to read public for NV Index 0x%08x\n", nvIndex); + printf("EK Index 0x%08x not valid\n", nvIndex); continue; } - /* Read data */ - XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */ - XMEMSET(certBuf, 0, sizeof(certBuf)); - certSz = (uint32_t)sizeof(certBuf); - if (certSz > nvPublic.dataSize) { - certSz = nvPublic.dataSize; + /* Read Public portion of NV to get actual size */ + rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic); + if (rc != 0) { + printf("Failed to read public for NV Index 0x%08x\n", nvIndex); } - rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0); + + /* Read data */ if (rc == 0) { - #ifdef DEBUG_WOLFTPM - printf("EK Data: %d\n", certSz); - TPM2_PrintBin(certBuf, certSz); - #endif + certSz = (uint32_t)sizeof(certBuf); + if (certSz > nvPublic.dataSize) { + certSz = nvPublic.dataSize; + } + rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0); + if (rc == 0) { + #ifdef DEBUG_WOLFTPM + printf("EK Data: %d\n", certSz); + TPM2_PrintBin(certBuf, certSz); + #endif + } } /* Create Endorsement Key */ - if (rc == 0) { - /* Get Endorsement Public Key template using NV index */ - rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate); - if (rc != 0) { - printf("EK Index 0x%08x not valid\n", nvIndex); - rc = BAD_FUNC_ARG; - } - } if (rc == 0) { /* Create Endorsement Key using EK auth policy */ printf("Creating Endorsement Key\n"); @@ -324,12 +325,14 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) } } else { - printf("Error importing certificates public key! %d\n", rc); + printf("Error importing certificates public key! %s (%d)\n", + TPM2_GetRCString(rc), rc); + rc = 0; /* ignore error */ } } else { - printf("Error parsing certificate 0x%x: %s\n", - rc, TPM2_GetRCString(rc)); + printf("Error parsing certificate! %s (%d)\n", + TPM2_GetRCString(rc), rc); } wc_FreeDecodedCert(&cert); @@ -345,8 +348,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) #ifdef WOLFSSL_DER_TO_PEM /* Convert certificate to PEM and display */ - rc = wc_DerToPemEx(certBuf, certSz, NULL, 0, NULL, CERT_TYPE); - if (rc > 0) { + rc = wc_DerToPem(certBuf, certSz, NULL, 0, CERT_TYPE); + if (rc > 0) { /* returns actual PEM size */ pemSz = (word32)rc; rc = 0; @@ -359,7 +362,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) if (rc == 0) { XMEMSET(pem, 0, pemSz); rc = wc_DerToPem(certBuf, certSz, (byte*)pem, pemSz, CERT_TYPE); - if (rc > 0) { + if (rc > 0) { /* returns actual PEM size */ + pemSz = (word32)rc; rc = 0; } } diff --git a/examples/endorsement/trusted_certs.h b/examples/endorsement/trusted_certs.h index af809e7..004e736 100644 --- a/examples/endorsement/trusted_certs.h +++ b/examples/endorsement/trusted_certs.h @@ -65,6 +65,76 @@ static const char* trusted_certs[] = { "OyD3mUxh8uFPhavNYLdFtrwguXqTVyZcZB+D\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jul 25 23:59:59 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G\n" + "A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo\n" + "VE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv\n" + "b3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG\n" + "EwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL\n" + "DBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU\n" + "TSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2\n" + "GM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe\n" + "Om8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud\n" + "DgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T\n" + "AQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk\n" + "MAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+\n" + "+O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) ECC Manufacturing CA 004 + * Issuer: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP256R1, SHA2-256 + * Validity: Nov 24 15:50:15 2034 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDRzCCAs2gAwIBAgIEfqIJfTAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND\n" + "IFJvb3QgQ0EwHhcNMTQxMTI0MTU1MDE1WhcNMzQxMTI0MTU1MDE1WjCBgzELMAkG\n" + "A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEaMBgG\n" + "A1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9QVElH\n" + "QShUTSkgRUNDIE1hbnVmYWN0dXJpbmcgQ0EgMDA0MFkwEwYHKoZIzj0CAQYIKoZI\n" + "zj0DAQcDQgAEU4vVtCu+sc2VldUl0QToWhbfRiAhumb2S3Seqm1P56agXPJsXw2h\n" + "ssA8ic0Jw7h1bGpM6+EzNBesTpGksBYuLqOCATgwggE0MFcGCCsGAQUFBwEBBEsw\n" + "STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhRWNj\n" + "Um9vdENBL09wdGlnYUVjY1Jvb3RDQS5jcnQwHQYDVR0OBBYEFL1sacB1nqqV3W0V\n" + "bqZBcMS5s2x4MA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG\n" + "A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVj\n" + "Y1Jvb3RDQS9PcHRpZ2FFY2NSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB\n" + "FAEwHwYDVR0jBBgwFoAUtBiFyEpKxRJ68kA53sT1ix5+StEwEAYDVR0lBAkwBwYF\n" + "Z4EFCAEwCgYIKoZIzj0EAwMDaAAwZQIwTJ3astNZ2hyRMPG3RO1BeKieoANrv0jr\n" + "n5GONNPGZ11mVZYgFVSiheBZ9xqOFMvZAjEA9Qk+Dwmei1FuY/ztnGeRLw7bJ7lo\n" + "u+rdhyvlzIO6aI8x5wgJsbcX6ST5QEncz99t\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 042 + * Issuer: CN=Infineon OPTIGA(TM) ECC Root CA + * Algorithms: ECDSA SECP256R1, SHA2-384 + * Validity: Feb 8 15:39:27 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDOjCCAr+gAwIBAgIEGVn1IzAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND\n" + "IFJvb3QgQ0EwHhcNMjMwMjA4MTUzOTI3WhcNNDMwMjA4MTUzOTI3WjB2MQswCQYD\n" + "VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYD\n" + "VQQLDApPUFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQ\n" + "TSAyLjAgRUNDIENBIDA0MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHy6yq3F\n" + "3TCvBXY63AGJzHxRf45Gipj7C+W9mnAyz3LAEMTIVBtS4XcvHR6oQBt7RRvrpwLe\n" + "TJjg1Ngg0F4zHPGjggE4MIIBNDBXBggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAKG\n" + "O2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVjY1Jvb3RDQS9PcHRpZ2FF\n" + "Y2NSb290Q0EuY3J0MB0GA1UdDgQWBBSxHzPMpgZWuiWcLpBaO1Q/UkSXkTAOBgNV\n" + "HQ8BAf8EBAMCAAYwEgYDVR0TAQH/BAgwBgEB/wIBADBMBgNVHR8ERTBDMEGgP6A9\n" + "hjtodHRwOi8vcGtpLmluZmluZW9uLmNvbS9PcHRpZ2FFY2NSb290Q0EvT3B0aWdh\n" + "RWNjUm9vdENBLmNybDAVBgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaA\n" + "FLQYhchKSsUSevJAOd7E9YsefkrRMBAGA1UdJQQJMAcGBWeBBQgBMAoGCCqGSM49\n" + "BAMDA2kAMGYCMQCyjrqHq1qqHCQQ14dvBtqUT90XuvfSOwE6Hda3GlIa9FdYC4Ue\n" + "AVJ/CuRKHi/VQSkCMQDc+HAcnipcopZBsa/jPV6Y6YdgnVCcDY0tdwtaeQgGNBRz\n" + "GRt1rxF2x8QNOKB9f28=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) RSA Root CA 2 * Algorithms: RSA 4096-bit, SHA2-256 * Validity: Nov 22 23:59:59 2054 GMT */ @@ -145,6 +215,119 @@ static const char* trusted_certs[] = { "Q6kr1MlRyGqkQFTEeOHGI0PngcLQJzKYfjHDDEZ+GA==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 4096-bit, SHA2-256 + * Validity: Jul 25 23:59:59 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFqzCCA5OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJERTEh\n" + "MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n" + "R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgUlNB\n" + "IFJvb3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYD\n" + "VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYD\n" + "VQQLDBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElH\n" + "QShUTSkgUlNBIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n" + "AQC7E+gc0B5T7awzux66zMMZMTtCkPqGv6a3NVx73ICg2DSwnipFwBiUl9soEodn\n" + "25SVVN7pqmvKA2gMTR5QexuYS9PPerfRZrBY00xyFx84V+mIRPg4YqUMLtZBcAwr\n" + "R3GO6cffHp20SBH5ITpuqKciwb0v5ueLdtZHYRPq1+jgy58IFY/vACyF/ccWZxUS\n" + "JRNSe4ruwBgI7NMWicxiiWQmz1fE3e0mUGQ1tu4M6MpZPxTZxWzN0mMz9noj1oIT\n" + "ZUnq/drN54LHzX45l+2b14f5FkvtcXxJ7OCkI7lmWIt8s5fE4HhixEgsR2RX5hzl\n" + "8XiHiS7uD3pQhBYSBN5IBbVWREex1IUat5eAOb9AXjnZ7ivxJKiY/BkOmrNgN8k2\n" + "7vOS4P81ix1GnXsjyHJ6mOtWRC9UHfvJcvM3U9tuU+3dRfib03NGxSPnKteL4SP1\n" + "bdHfiGjV3LIxzFHOfdjM2cvFJ6jXg5hwXCFSdsQm5e2BfT3dWDBSfR4h3Prpkl6d\n" + "cAyb3nNtMK3HR5yl6QBuJybw8afHT3KRbwvOHOCR0ZVJTszclEPcM3NQdwFlhqLS\n" + "ghIflaKSPv9yHTKeg2AB5q9JSG2nwSTrjDKRab225+zJ0yylH5NwxIBLaVHDyAEu\n" + "81af+wnm99oqgvJuDKSQGyLf6sCeuy81wQYO46yNa+xJwQIDAQABo0IwQDAdBgNV\n" + "HQ4EFgQU3LtWq/EY/KaadREQZYQSntVBkrkwDgYDVR0PAQH/BAQDAgAGMA8GA1Ud\n" + "EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGHTBUx3ETIXYJsaAgb2pyyN\n" + "UltVL2bKzGMVSsnTCrXUU8hKrDQh3jNIMrS0d6dU/fGaGJvehxmmJfjaN/IFWA4M\n" + "BdZEnpAe2fJEP8vbLa/QHVfsAVuotLD6QWAqeaC2txpxkerveoV2JAwj1jrprT4y\n" + "rkS8SxZuKS05rYdlG30GjOKTq81amQtGf2NlNiM0lBB/SKTt0Uv5TK0jIWbz2WoZ\n" + "gGut7mF0md1rHRauWRcoHQdxWSQTCTtgoQzeBj4IS6N3QxQBKV9LL9UWm+CMIT7Y\n" + "np8bSJ8oW4UdpSuYWe1ZwSjZyzDiSzpuc4gTS6aHfMmEfoVwC8HN03/HD6B1Lwo2\n" + "DvEaqAxkya9IYWrDqkMrEErJO6cqx/vfIcfY/8JYmUJGTmvVlaODJTwYwov/2rjr\n" + "la5gR+xrTM7dq8bZimSQTO8h6cdL6u+3c8mGriCQkNZIZEac/Gdn+KwydaOZIcnf\n" + "Rdp3SalxsSp6cWwJGE4wpYKB2ClM2QF3yNQoTGNwMlpsxnU72ihDi/RxyaRTz9OR\n" + "pubNq8Wuq7jQUs5U00ryrMCZog1cxLzyfZwwCYh6O2CmbvMoydHNy5CU3ygxaLWv\n" + "JpgZVHN103npVMR3mLNa3QE+5MFlBlP3Mmystu8iVAKJas39VO5y5jad4dRLkwtM\n" + "6sJa8iBpdRjZrBp5sJBI\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) RSA Manufacturing CA 004 + * Issuer: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Nov 24 15:39:16 2034 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFszCCA5ugAwIBAgIEIe/JKTANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE\n" + "RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n" + "UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg\n" + "UlNBIFJvb3QgQ0EwHhcNMTQxMTI0MTUzOTE2WhcNMzQxMTI0MTUzOTE2WjCBgzEL\n" + "MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa\n" + "MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q\n" + "VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDA0MIIBIjANBgkqhkiG9w0B\n" + "AQEFAAOCAQ8AMIIBCgKCAQEAhFAEamE+AGtKlpCDU1ILU3NUVjkrU2MiD+RcYM44\n" + "/+t6Ho90lVLIarwpjUC9E6skZDwSfjDFv1yR+xJ6nnfK05PX6CcW4I6xIYsPLESQ\n" + "Pe988Ug9FoTvqgQ/yy+5Ru16xFNWWCCF1KgMwyxgaX2hnkUU7aOIVPD1pHS/17TN\n" + "6F2zl46OL8qX9z9yHi+DRtjWZrQhQQ6lvi+hU+fgtFKGUUdZL/jyZXALVMvTt9hO\n" + "o7HPJDbzAIfCY5TZQByTbUwN+61twPw3m8QzNI79GlDDewD2nVzomDJUvV02Dbrb\n" + "e+NiLnZ/jZcHzWmF0ERqXM/sNnsWxSx7ECQV9mb4LPscCwIDAQABo4IBODCCATQw\n" + "VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u\n" + "LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E\n" + "FgQUJjt0TYVBK65uE+lKU8I1GFuk7uwwDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB\n" + "/wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv\n" + "bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g\n" + "BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS\n" + "uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEANY49i1/+6S9J\n" + "VS/yaHfxn49uVFMwJNeM7Ez6sANMxZ6UlSW5tz1xcwBo9ysViyt9W45MmKbXz0jz\n" + "HQBTuq3jq+aDjYJAtpvlQoqARSa0P6hXPMYXXLas7z/DwUeWomV+iYczG067Swsh\n" + "jQ4WKtg3o4f82Zmd39oJpYgIbJJPC7KyaNuDionRw5fiVfgEPRmUsB1jQGWz/d/r\n" + "YWjFU6zr6kqrVoostGls6PXxfyYcw9iiMsHWgsekyW3q+4mDRSaLJMyixw1Vwfy0\n" + "TmYjrwg6hi9+JrIJpnFCb8aCjZvZ0JZj+tWgjGnmw0acej2SEFItMBz0UHQNXn0j\n" + "BLVYfu9RwulqFWd52pumJVHECoDEQn93MdzippYAqEE9kaEl5wt8cd+9uRCcBuy2\n" + "OPleKXWvuYEEjqH7SbBxHiZuqdHZvFkfRdSNc1dW7sKE6N4UZ+b8+UoCha2pUzE2\n" + "yYeE3dkv/E1K+6uq38Fe42Iz22hlZrEeA3aGrHopOFvUY2MOM8ksdDBwQZ5YzBQ4\n" + "HcD5RHrvsYUbkcPnnVVkN+M8IKJ+6LVowx3EG+ytzVixHrSVJ91ooG9ocD2vxZAU\n" + "bY8gLugWaRbOZkgYaHTj4Rjq3ZxuEPXEDKrSm7nUgMMlq5BDYhVzBWXrJtyYIv37\n" + "QHaD0AfWGx+CiPbtXWmvkhC+QLzYnWI=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042 + * Issuer: CN=Infineon OPTIGA(TM) RSA Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Feb 8 15:28:15 2043 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIFpTCCA42gAwIBAgIEX/V0ezANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE\n" + "RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n" + "UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg\n" + "UlNBIFJvb3QgQ0EwHhcNMjMwMjA4MTUyODE1WhcNNDMwMjA4MTUyODE1WjB2MQsw\n" + "CQYDVQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMw\n" + "EQYDVQQLDApPUFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0p\n" + "IFRQTSAyLjAgUlNBIENBIDA0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAIVUeKYRnVu2bZCwKKd5zH3oOYz73J3ZPoMviq90y51mccnCiydAwR5k+uSr\n" + "NBjIUUVpQc11K005HbU42lA02XHBlchHVAd1rHPUp55Qvscsh/OU0MTV7Cb7LLnS\n" + "Mm9hD7K5bwdNjnSxD6gayoBwAOa5p23FBuqCiUPNzUD+1rtrkYyFD3t8WmnDbfxe\n" + "UWh5wWzIV0PGV7sKPOov+IXEfXFF+fWAwsGXTPi5+cibRLwoy88Rk/+vRLVxg0eZ\n" + "OnxH8B+qcpEIPmXfxbdGqUoY82icT1Nj1EjCjkyMTAxH5Q+8PVDHDjyRLNg+6aYt\n" + "MXYTX0D6MxhobOVjYLgZAnQPlkcCAwEAAaOCATgwggE0MFcGCCsGAQUFBwEBBEsw\n" + "STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhUnNh\n" + "Um9vdENBL09wdGlnYVJzYVJvb3RDQS5jcnQwHQYDVR0OBBYEFF0IFZUfX2Bjimnn\n" + "JS8+xL7NdVSyMA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG\n" + "A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYVJz\n" + "YVJvb3RDQS9PcHRpZ2FSc2FSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB\n" + "FAEwHwYDVR0jBBgwFoAU3LtWq/EY/KaadREQZYQSntVBkrkwEAYDVR0lBAkwBwYF\n" + "Z4EFCAEwDQYJKoZIhvcNAQELBQADggIBAHvzvbu2R2CTigvQNVNIBD+10puObvI7\n" + "p4n2u7ckS+RJaaFYysnC939IexEzqMHgZOSGJD2Fzq9Yqa2gMHzgsnzdj1V4ssfz\n" + "GEboIVJ3nhItIqgVj0HXfQrb1JXU7noI+db87MGA0gfLG52wqTI26gqZtb9GH6JB\n" + "y6OIL8NvmrRUpgOb6r0ltAhmIDnQz73M7qW0j1Y/OKa3M8T8QVSdbDeNydH2eSck\n" + "NzvbkeZED63YPcztxMGqZ3kL1NfzGHqtPvjlS53kQ4k+uvU42X4uzldBsXaByXMK\n" + "gjQKaEgG64lCLafQWB3KjgF6U37oHQ3GvCOeR6HZx/MOZXr9+T6ZzdVQJPZcIPu2\n" + "9dhftbLYYKlnkSab8JwPX1cpXJL+xMqd6Bjpr044iOTrD/Hjqck+QvhCt2pSpB4e\n" + "72z21KboAFb6xLUYf8KIvnhY9XFeBGpLabKn1Gq79x4BLsXJQuuQ8bmwWDa+e+F5\n" + "rb16CgnTvwMJE8+B0hOdk+/40whTwVwc7OlAwkRHiVKfPw7JOP4pyOV0QIlyWLcH\n" + "2yg7raQFCjdtnvIX0Eq3RDwFk6b9hK3+89uIuA8/uW3bY5HuJEQd0bWZoeD2WBHf\n" + "V9iAx0TwwBsEPrHwQxB6uktXjqCKk1PJAtaiAB6hFQpe26gAopXnxA6ezpgMKGVt\n" + "e1NOreRnWJCu\n" + "-----END CERTIFICATE-----\n", + /* ---------------------------------------------------------------*/ /* STMicroelectronics NV */ @@ -218,6 +401,48 @@ static const char* trusted_certs[] = { "3QJ/mdWzkS8U0LlHNOV2Lb9PF4B10A==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=STM TPM ECC Root CA 01 + * Algorithms: ECDSA SECP384R1, SHA2-384 + * Validity: Jan 19 03:14:07 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICyDCCAk+gAwIBAgIORyzLp/OdsAvb9r+66LowCgYIKoZIzj0EAwMwgYsxOzA5\n" + "BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg\n" + "QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTcwNQYDVQQDEy5HbG9iYWxT\n" + "aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVDQyBSb290IENBMB4XDTE1MTAy\n" + "ODAwMDAwMFoXDTM4MDExOTAzMTQwN1owTjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoT\n" + "FVNUTWljcm9lbGVjdHJvbmljcyBOVjEfMB0GA1UEAxMWU1RNIFRQTSBFQ0MgUm9v\n" + "dCBDQSAwMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABG7/OLXMiprQQHwNnkpT6aqG\n" + "zOGLcbbAgUtyjlXOZtuv0GB0ttJ6fwMwgFtt8RKlko8Bwn89/BoZOUcI4ne8ddRS\n" + "oqE6StnU3I13qqjalToq3Rnz61Omn6NErK1pxUe3j6OBtTCBsjAOBgNVHQ8BAf8E\n" + "BAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUIJJWPAtDqAVyUwMp\n" + "BxwH4OvsAwQwHwYDVR0jBBgwFoAUYT78EZkKf7CpW5CgJl4pYUe3MAMwTAYDVR0g\n" + "BEUwQzBBBgkrBgEEAaAyAVowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv\n" + "YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCgYIKoZIzj0EAwMDZwAwZAIwWnuUAzwy\n" + "vHUhHehymKTZ2QcPUwHX0LdcVTac4ohyEL3zcuv/dM0BN62kFxHgBOhWAjAIxt9i\n" + "50yAxy0Z/MeV2NTXqKpLwdhWNuzOSFZnzRKsh9MxY3zj8nebDNlHTDGSMR0=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STM TPM ECC Intermediate CA 02 + * Issuer: CN=STM TPM ECC Root CA 01 + * Algorithms: ECDSA SECP256R1, SHA2-384 + * Validity: Nov 22 00:00:00 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIICZTCCAeygAwIBAgIEQAAAAjAKBggqhkjOPQQDAzBOMQswCQYDVQQGEwJDSDEe\n" + "MBwGA1UECgwVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR8wHQYDVQQDDBZTVE0gVFBN\n" + "IEVDQyBSb290IENBIDAxMB4XDTE4MTEyMjAwMDAwMFoXDTM4MTEyMjAwMDAwMFow\n" + "VjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoMFVNUTWljcm9lbGVjdHJvbmljcyBOVjEn\n" + "MCUGA1UEAwweU1RNIFRQTSBFQ0MgSW50ZXJtZWRpYXRlIENBIDAyMFkwEwYHKoZI\n" + "zj0CAQYIKoZIzj0DAQcDQgAE08t33aGM5M5aeBmzcn5H3HS31CGBJ2bbJ6fvJJ0i\n" + "VCfZrN9sesL0D+NGfwtEklk7mgT/2vfW2dO9OqsyukSw2aOBrzCBrDAdBgNVHQ4E\n" + "FgQUZi2PHOzf8UeotvDqKWr38kyt+c8wHwYDVR0jBBgwFoAUIJJWPAtDqAVyUwMp\n" + "BxwH4OvsAwQwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0\n" + "dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAPBgNVHQ8BAf8EBQMDAQQC\n" + "MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwMDZwAwZAIwJl4q6QuGhqQD\n" + "pvP1gBBu8OhbQAXL8Rwhg1FWs8BvC4VYt6Tqe9xLqjbtbgR8UOyvAjAhzSbC+r8A\n" + "2Wx1aOwAIqs1tmBXpofqcOXYeCSXKajOv5Jlzk6sDnEH2omN+ydt924=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STSAFE RSA Root CA 02 * Algorithms: RSA 4096-bit, SHA2-384 * Validity: Dec 31 00:00:00 9999 GMT */ @@ -295,6 +520,62 @@ static const char* trusted_certs[] = { "uKErQfPEhjYLdzF8/OYW7w==\n" "-----END CERTIFICATE-----\n", + /* Subject: CN=STM TPM EK Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Dec 31 23:59:59 2039 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIEDDCCAvSgAwIBAgILBAAAAAABIsFs834wDQYJKoZIhvcNAQELBQAwgYcxOzA5\n" + "BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg\n" + "QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTMwMQYDVQQDEypHbG9iYWxT\n" + "aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIFJvb3QgQ0EwHhcNMDkwNzI4MTIw\n" + "MDAwWhcNMzkxMjMxMjM1OTU5WjBKMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RN\n" + "aWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0gVFBNIEVLIFJvb3QgQ0Ew\n" + "ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxBLG5wcB9J0MsiJMreoWQ\n" + "l21bBN12SSGZPJ3HoPjzcrzAz6SPy+TrFmZ6eUVspsFL/23wdPprqTUtDHi+C2pw\n" + "k/3dF3/Rb2t/yHgiPlbCshYpi5f/rJ7nzbQ1ca2LzX3saBe53VfNQQV0zd5uM0DT\n" + "SrmAKU1RIAj2WlZFWXoN4NWTyRtqT5suPHa2y8FlCWMZKlS0FiY4pfM20b5YQ+EL\n" + "4zqb9zN53u/TdYZegrfSlc30Nl9G13Mgi+8rtPFKwsxx05EBbhVroH7aKVI1djsf\n" + "E1MVrUzw62PHik3xlzznXML8OjY//xKeiCWcsApuGCaIAf7TsTRi2l8DNB3rCr1X\n" + "AgMBAAGjgbQwgbEwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQEw\n" + "HQYDVR0OBBYEFG/mxWwHt2yLCoGSg1zLQR72jtEnMEsGA1UdIAREMEIwQAYJKwYB\n" + "BAGgMgFaMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQv\n" + "cmVwb3NpdG9yeS8wHwYDVR0jBBgwFoAUHiNj8IW19iVO7RrAUL5lfMfUFXowDQYJ\n" + "KoZIhvcNAQELBQADggEBAFrKpwFmRh7BGdpPZWc1Y6wIbdTAF6T+q1KwDJcyAjgJ\n" + "qThFp3xTAt3tvyVrCRf7T/YARYE24DNa0iFaXsIXeQASDYHJjAZ6LQTslYBeRYLb\n" + "C9v8ZE2ocKSCiC8ALYlJWk39Wob0H1Lk6l2zcUo3oKczGiAcRrlmwV496wvGyted\n" + "2RBcLZro7yhOOGr9KMabV14fNl0lG+31J1nWI2hgTqh53GXg1QH2YpggD3b7UbVm\n" + "c6GZaX37N3z15XfQafuAfHt10kYCNdePzC9tOwirHIsO8lrxoNlzOSxX8SqQGbBI\n" + "+kWoe5+SY3gdOGGDQKIdw3W1poMN8bQ5x7XFcgVMwVU=\n" + "-----END CERTIFICATE-----\n", + + /* Subject: CN=STM TPM EK Intermediate CA 06 + * Issuer: CN=STM TPM EK Root CA + * Algorithms: RSA 2048-bit, SHA2-256 + * Validity: Jan 1 00:00:00 2038 GMT */ + "-----BEGIN CERTIFICATE-----\n" + "MIIDzDCCArSgAwIBAgIEQAAABzANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD\n" + "SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g\n" + "VFBNIEVLIFJvb3QgQ0EwHhcNMTgxMDMxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBV\n" + "MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw\n" + "JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwNjCCASIwDQYJKoZI\n" + "hvcNAQEBBQADggEPADCCAQoCggEBAOvIjXBLbVBfIC7SFjcz4hm6R0IyuRJpJ45n\n" + "pYytlAHmoVosoT3isl52T4UB4T1r1b8y7Y+vW3Ed0sZO+m/pHtUc5h9050ynGedt\n" + "0uvuNZ1cVnX2h/XTcdKIawqEBVXRZQ5OJMp/aDlUwsUeBT+SlhAagNhmyNw2tC2a\n" + "b5d7qr8FU03Ds6io892aSD23z51yLAix121uUHIPmHByaZRnaKctTbu7ulwINlrd\n" + "cB953Z0WVQhil5yjZs14yd4yAnA3Z1ZW+mrOkr8ehVsUbvrUxyfhMInMrETIxR4R\n" + "9X5cTIVia2SVTtfqrb6XMC1/T7K1PH90QXtlt3WILMMNJhLDy+kCAwEAAaOBrjCB\n" + "qzAdBgNVHQ4EFgQU+xfXDXNIcOkZxOjmA5deZk4OQ94wHwYDVR0jBBgwFoAUb+bF\n" + "bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB\n" + "BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B\n" + "Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA\n" + "OiwipeVJ4yK/hBF6KgfcCUltlqmoPoHyffzfpPjNBeYqmdaRqxJdbY9FaSrcbJBA\n" + "hKRHfWYPCB03TnWstmfadgzbC/8mITx56Cb2EXpvYhrAu8G7a54h0sIhEloK/FAx\n" + "Zdgg3Y2tnPhihQ80xdqtaZRoXqjiqKq1p7IHwtQZiFCCCD1jny8qfZLCOYx50/mJ\n" + "QXk8WvzPl0xsAOhp5Id6OAeq/6dmwjUBpZBzhwmbnt5kX7OKnuoVr3H+8X1Zycz8\n" + "lq3znYqMaPWDTIQm6gnm//ahb9bBN0GL57fT6RuNy6jH7SRZYZ4zZRtAHyPogA/b\n" + "gbBsXr0NrHh671Y1j4cOYA==\n" + "-----END CERTIFICATE-----\n", + }; #endif /* WOLFTPM_TRUSTED_CERTS_H */