How to validate that TPM can use the private part of Attestation Key to sign
- 13 Dec 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
How to validate that TPM can use the private part of Attestation Key to sign
- Updated on 13 Dec 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
These steps validate that the TPM controls the private counterpart of the public key present in the platform certificate and can be used for signatures.
# Extract the public key from the platform certificate
openssl x509 -pubkey -noout -in device-platform-certificate.crt > ak-public-key.pem
# Nonce signed by AK was already replied in previous HTTP POST (EK/TPM challenge)
# ak_signature is replied in base64 format. Let's decode it
jq -r .data.ak_signature response.json | base64 -d > signed_ak_nonce.sig
# Verify the signature with AK public key
openssl dgst -sha256 -verify ak-public-key.pem -signature signed_ak_nonce.sig nonce.txt
#Verified OK
# Destroy NG API ticket
curl -s -X DELETE \
https://nodegrid/api/v1/Session \
--insecure \
-H 'Content-Type: application/json' \
-H 'accept: application/json' \
-H "ticket: ${ticket}"Was this article helpful?