This process uses the Endorsement Key's public key to verify that the TPM holds the attestation key, which is identified by the name in the Platform Certificate.
# Extract public key from EK certificate and platform certificate
openssl x509 -pubkey -noout -in ek.crt > ek-public-key.pem
# Extract AK Name from Platform Certificate
ak_name=$(\
openssl x509 -noout -text -in device-platform-certificate.crt | \
grep -A 1 '1.3.6.1.4.1.42518.4.2.1.1.1.20' | tail -n 1 | \
tr -d ' ' | sed 's/^.D//'
)
# Create a nonce (challenge)
echo "$RANDOM" > nonce.txt
# Create TPM credential using nonce as secret (challenge)
tpm2_makecredential -Q \
-T none \
-u ek-public-key.pem \
-s "nonce.txt" \
-n "$ak_name" \
-o "credential.out" \
-G rsa
# credential conversion to base64
credential_base64="$(cat credential.out | base64)"
# EK/TPM challenge
curl -s -X POST \
"https://nodegrid/api/v1/system/platformcertificate/challenge" \
--insecure \
-H "Content-Type: text/plain" \
-H 'accept: application/json' \
-H "ticket: ${ticket}" \
-d "$credential_base64" | \
jq . > response.json
# check if replied nonce matches with nonce.txt
jq -r .data.nonce response.json | base64 -d > device-nonce.txt
cmp nonce.txt device-nonce.txt && echo "EK was successfully challenged"
#EK was successfully challenged