How to validate Attestation Key name in Platform Certificate

Updated on 13 Dec 2024
1 Minute to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

This process uses the Endorsement Key's public key to verify that the TPM holds the attestation key, which is identified by the name in the Platform Certificate.

# Extract public key from EK certificate and platform certificate
openssl x509 -pubkey -noout -in ek.crt > ek-public-key.pem
# Extract AK Name from Platform Certificate
ak_name=$(\
  openssl x509 -noout -text -in device-platform-certificate.crt | \
  grep -A 1 '1.3.6.1.4.1.42518.4.2.1.1.1.20' | tail -n 1 | \
  tr -d ' ' | sed 's/^.D//'
)

# Create a nonce (challenge)
echo "$RANDOM" > nonce.txt
# Create TPM credential using nonce as secret (challenge)
tpm2_makecredential -Q \
  -T none \
  -u ek-public-key.pem \
  -s "nonce.txt" \
  -n "$ak_name" \
  -o "credential.out" \
  -G rsa

# credential conversion to base64
credential_base64="$(cat credential.out | base64)"
# EK/TPM challenge
curl -s -X POST \
   "https://nodegrid/api/v1/system/platformcertificate/challenge" \
  --insecure \
  -H "Content-Type: text/plain" \
  -H 'accept: application/json' \
  -H "ticket: ${ticket}" \
  -d "$credential_base64" | \
  jq . > response.json

# check if replied nonce matches with nonce.txt
jq -r .data.nonce response.json | base64 -d > device-nonce.txt
cmp nonce.txt device-nonce.txt && echo "EK was successfully challenged"
#EK was successfully challenged

Was this article helpful?

What's Next

How to validate that TPM can use the private part of Attestation Key to sign