DMTF · itsManjeet · Nov 16, 2025
@@ -0,0 +1,22 @@
+/**
+ *  Copyright Notice:
+ *  Copyright 2021-2025 DMTF. All rights reserved.
+ *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
+ **/
+
+#ifndef __CRYPTLIB_TPM_H__
+#define __CRYPTLIB_TPM_H__
+
+#include <stdbool.h>
+
+bool libspdm_tpm_device_init();
+
+bool libspdm_tpm_get_private_key(void *handle, void **context);
+
+bool libspdm_tpm_get_public_key(void *handle, void **context);
+
+bool libspdm_tpm_get_certificate(void *handle, void **context);
+
+bool libspdm_tpm_dump_certificate(void *context, void **buffer, size_t *size);
+
+#endif
@@ -5,6 +5,7 @@
  **/
 
 #include "internal/libspdm_crypt_lib.h"
+#include <openssl/x509.h>
 
 #if LIBSPDM_CERT_PARSE_SUPPORT
 
@@ -180,6 +181,25 @@ typedef bool (*libspdm_asym_get_public_key_from_x509_func)(const uint8_t *cert,
                                                            size_t cert_size,
                                                            void **context);
 
+static void dump_hex(const char* id, const unsigned char *buf, long buflen)
+{
+    char buffer[4096];
+    const unsigned char *p = buf;
+    X509 *cert = d2i_X509(NULL, &p, buflen);
+    if (!cert) {
+        printf("Not an X.509 cert inside this ASN.1 object.\n");
+        return;
+    }
+
+    /* Print certificate */
+    BIO *bio = BIO_new(BIO_s_mem());
+    X509_print(bio, cert);
+    int s = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[s] = '\0';
+    printf("%s CERT: %s\n", id, buffer);
+    X509_free(cert);
+}
+
 /**
  * Return asymmetric GET_PUBLIC_KEY_FROM_X509 function, based upon the negotiated asymmetric algorithm.
  *
@@ -2143,6 +2163,8 @@ bool libspdm_verify_cert_chain_data_with_pqc(
         return false;
     }
 
+    dump_hex("ROOT", root_cert_buffer, root_cert_buffer_size);
+
     if (!libspdm_x509_verify_cert_chain(root_cert_buffer, root_cert_buffer_size,
                                         cert_chain_data, cert_chain_data_size)) {
         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
@@ -2158,6 +2180,8 @@ bool libspdm_verify_cert_chain_data_with_pqc(
         return false;
     }
 
+    dump_hex("LEAF", leaf_cert_buffer, leaf_cert_buffer_size);
+
     if (!libspdm_x509_certificate_check_with_pqc(leaf_cert_buffer, leaf_cert_buffer_size,
                                                  base_asym_algo, pqc_asym_algo, base_hash_algo,
                                                  is_requester_cert, is_device_cert_model)) {

@@ -47,6 +47,7 @@ target_sources(cryptlib_openssl
         pk/x509_pqc.c
         rand/rand.c
         sys_call/crt_wrapper_host.c
+        tpm/tpm.c
 )
 
 target_compile_options(cryptlib_openssl PRIVATE ${OPENSSL_FLAGS})

@@ -681,6 +681,13 @@ bool libspdm_ecdsa_sign(void *ec_context, size_t hash_nid,
         return false;
     }
 
+    char buffer[4096];
+    BIO *bio = BIO_new(BIO_s_mem());
+    EVP_PKEY_print_public(bio, evp_pkey, 4, NULL);
+    int len = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[len] = '\0';
+    printf("SIGN PUBLIC KEY: %s\n", buffer);
+
     half_size = evp_pkey_get_half_size(evp_pkey);
     if (*sig_size < (size_t)(half_size * 2)) {
         *sig_size = half_size * 2;
@@ -828,6 +835,13 @@ bool libspdm_ecdsa_verify(void *ec_context, size_t hash_nid,
         return false;
     }
 
+    char buffer[4096];
+    BIO *bio = BIO_new(BIO_s_mem());
+    EVP_PKEY_print_public(bio, evp_pkey, 4, NULL);
+    int len = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[len] = '\0';
+    printf("VERIFY PUBLIC KEY: %s\n", buffer);
+
     half_size = evp_pkey_get_half_size(evp_pkey);
     if (sig_size != (size_t)(half_size * 2)) {
         return false;

@@ -35,6 +35,26 @@
 static const uint8_t m_libspdm_oid_ext_key_usage[] = OID_EXT_KEY_USAGE;
 static const uint8_t m_libspdm_oid_basic_constraints[] = OID_BASIC_CONSTRAINTS;
 
+static void dump_hex(const char* id, const unsigned char *buf, long buflen)
+{
+    char buffer[4096];
+    const unsigned char *p = buf;
+    X509 *cert = d2i_X509(NULL, &p, buflen);
+    if (!cert) {
+        printf("Not an X.509 cert inside this ASN.1 object.\n");
+        return;
+    }
+
+    /* Print certificate */
+    BIO *bio = BIO_new(BIO_s_mem());
+    X509_print(bio, cert);
+    int s = BIO_read(bio, (void*) buffer, sizeof(buffer));
+    buffer[s] = '\0';
+    printf("%s CERT: %s\n", id, buffer);
+    X509_free(cert);
+}
+
+// 
 /**
  * Construct a X509 object from DER-encoded certificate data.
  *
@@ -2037,6 +2057,8 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
 
         /* Verify current_cert with preceding cert;*/
 
+        dump_hex("CURRENT", current_cert, current_cert_len);
+        dump_hex("PRECEDING", preceding_cert, preceding_cert_len);
         verify_flag =
             libspdm_x509_verify_cert(current_cert, current_cert_len,
                                      preceding_cert, preceding_cert_len);

@@ -0,0 +1,151 @@
+/**
+ *  Copyright Notice:
+ *  Copyright 2021-2025 DMTF. All rights reserved.
+ *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
+ **/
+
+#include <openssl/err.h>
+
+#include <openssl/provider.h>
+#include <openssl/store.h>
+#include "hal/library/cryptlib/cryptlib_tpm.h"
+
+#include "key_context.h"
+
+bool g_tpm_device_initialized = false;
+
+static libspdm_key_context *create_key_context(EVP_PKEY *pkey)
+{
+    libspdm_key_context *context = (libspdm_key_context *)malloc(sizeof(libspdm_key_context));
+    context->evp_pkey = pkey;
+    return context;
+}
+
+static void print_openssl_errors(void)
+{
+    unsigned long err;
+    while ((err = ERR_get_error()) != 0)
+    {
+        char buf[256];
+        ERR_error_string_n(err, buf, sizeof(buf));
+        fprintf(stderr, "OpenSSL error: %s\n", buf);
+    }
+}
+
+bool libspdm_tpm_device_init()
+{
+    OSSL_PROVIDER *tpm_provider = NULL;
+
+    if (g_tpm_device_initialized)
+        return true;
+
+    OSSL_PROVIDER_set_default_search_path(NULL, "/usr/lib/aarch64-linux-gnu/ossl-modules/");
+    tpm_provider = OSSL_PROVIDER_load(NULL, "tpm2");
+    if (tpm_provider == NULL)
+    {
+        fprintf(stderr, "ERROR: failed to load tpm2\n");
+        print_openssl_errors();
+        return false;
+    }
+
+    OSSL_PROVIDER_load(NULL, "default");
+    OSSL_PROVIDER_load(NULL, "legacy");
+
+    g_tpm_device_initialized = true;
+    return true;
+}
+
+static bool get_keyinfo(const char *handle, void **context, int keyinfo_type)
+{
+    OSSL_STORE_CTX *store_ctx = NULL;
+    OSSL_STORE_INFO *info = NULL;
+
+    /* handle must look like: "tpm2tss:0x81010002" */
+    store_ctx = OSSL_STORE_open_ex(handle, NULL, "provider=tpm2", NULL, NULL, NULL, NULL, NULL);
+    if (!store_ctx)
+    {
+        return false;
+    }
+
+    while ((info = OSSL_STORE_load(store_ctx)) != NULL)
+    {
+        if (OSSL_STORE_INFO_get_type(info) == keyinfo_type)
+        {
+            switch (keyinfo_type)
+            {
+            case OSSL_STORE_INFO_PKEY:
+                *context = OSSL_STORE_INFO_get1_PKEY(info);
+                break;
+            case OSSL_STORE_INFO_PUBKEY:
+                *context = OSSL_STORE_INFO_get1_PUBKEY(info);
+                break;
+            case OSSL_STORE_INFO_CERT:
+                *context = OSSL_STORE_INFO_get1_CERT(info);
+                break;
+            }
+            break;
+        }
+        OSSL_STORE_INFO_free(info);
+    }
+
+    OSSL_STORE_close(store_ctx);
+
+    if (*context == NULL)
+    {
+        fprintf(stderr, "no keyinfo %d found on handle %s\n", keyinfo_type, handle);
+        return false;
+    }
+
+    return true;
+}
+
+bool libspdm_tpm_get_private_key(void *handle, void **context)
+{
+    EVP_PKEY *pkey = NULL;
+    if (!get_keyinfo((const char *)handle, (void **)&pkey, OSSL_STORE_INFO_PKEY))
+    {
+        return false;
+    }
+    *context = create_key_context(pkey);
+    return true;
+}
+
+bool libspdm_tpm_get_public_key(void *handle, void **context)
+{
+    EVP_PKEY *pkey = NULL;
+    if (!get_keyinfo((const char *)handle, (void **)&pkey, OSSL_STORE_INFO_PUBKEY))
+    {
+        return false;
+    }
+    *context = create_key_context(pkey);
+    return true;
+}
+
+bool libspdm_tpm_get_certificate(void *handle, void **context)
+{
+    return get_keyinfo((const char *)handle, context, OSSL_STORE_INFO_CERT);
+}
+
+bool libspdm_tpm_dump_certificate(void *context, void **buffer, size_t *size)
+{
+    int len = 0;
+    len = i2d_X509((X509 *)context, NULL);
+    if (len < 0)
+        return false;
+
+    void *cert = OPENSSL_malloc(len);
+    if (cert == NULL)
+    {
+        return false;
+    }
+    *buffer = cert;
+    len = i2d_X509((X509 *)context, (unsigned char **)&cert);
+    if (len < 0)
+    {
+        free(*buffer);
+        *buffer = NULL;
+        return false;
+    }
+    *size = len;
+    return true;
+}