Signing/Verifying on Windows using TPM2 and TBS #146
Description
Hello!
I have been having issues with using a few commands with the provider on Windows. I think the issue is with using ContextSave/Load on Windows as streaming to the TPM might be blocked by the OS. For the simple CSR test/example, I have been getting the following error when issuing the certificate from the TPM-based CA:
ERROR:esys:api\Esys_ContextSave.c:256:Esys_ContextSave_Finish() Received a non-TPM Error ERROR:esys:api\Esys_ContextSave.c:97:Esys_ContextSave() Esys Finish ErrorCode (0x80280400) ERROR:esys:esys_iutil.c:1253:iesys_check_sequence_async() Esys called in bad sequence. ERROR:esys:api\Esys_FlushContext.c:69:Esys_FlushContext() Error in async function ErrorCode (0x00070007) Certificate request self-signature did not match the contents 2CCB0000:error:40800013:tpm2:tpm2_hash_sequence_dup:cannot duplicate context:src\tpm2-provider-digest.c:49:-2144861184 2CCB0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto\asn1\a_verify.c:217: RSA FREE ERROR:esys:esys_iutil.c:1253:iesys_check_sequence_async() Esys called in bad sequence. ERROR:esys:api\Esys_FlushContext.c:69:Esys_FlushContext() Error in async function ErrorCode (0x00070007)
I am curious if Windows is indeed blocking this or if it is an issue with how I installed/loaded the provider. If the former, could I simply modify some of the provider source code to "skip" this code or fix it for the Windows use-case?
EDIT: So, I have possibly "fixed" it. When running the command, taking out -propquery "?provider=tpm2" seems to make the command work, including having the TPM2 key still do the signature. Could someone help explain why this is the case? Is this causing another problem "under the hood?" Sorry for my possible ignorance, and thank you so, so much for your help!