I think I've made some progress here. I think the signature is over a digest of the entire attestation structure. Here's an example of certifying a primary key under the endorsement hierarchy. I think this could do with a little polish, but I think it's a useful example. The eventual aim is to use this as part of the SKAE Extension in X.509 certificates.

tpm2_createprimary -Q -C e -g sha256 -G rsa -c primary.ctx
tpm2_create -Q -g sha256 -G rsa -u certify.pub -r certify.priv -C primary.ctx

# Generate a PEM file suitable for use with OpenSSL containing the public key used to certify the primary key.
tpm2_readpublic -Q -c certify.ctx -f pem -o certify.pem
tpm2_certify -Q -c primary.ctx -C certify.ctx -g sha256 -o attest.out -s sig.out # We're only interested in the raw SHA-256 signature, not the TPMT_SIGNATURE's TPMI_ALG_SIG_SCHEME, so extract the raw signature from the last 256 bytes. tail -c 256 sig.out > sig.out.raw # Verify the signature across a SHA-256 digest of the TPM2B_ATTEST structure using OpenSSL. $ openssl dgst -verify certify.pem -keyform pem -sha256 -signature sig.out.raw attest.out Verified OK

On Tue, 10 Mar 2020 at 16:56, Roberts, William C <william.c.roberts@intel.com> wrote:
Imran could you weigh in on this?


> -----Original Message-----
> From: andrew.featherstone@gmail.com
> [mailto:andrew.featherstone@gmail.com]
> Sent: Saturday, March 7, 2020 7:12 AM
> To: tpm2@lists.01.org
> Subject: [tpm2] tpm2_certify signature verification
> Hi there,
> I'm trying to use the output of tpm2_certify to construt the Subject Key
> Attestation Evidence Extension (SKAE Extension)[1] for a X.509 Certificate
> Request. I've followed the example at https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/tpm2_certify.1.md , but I'm struggling to work out how
> to use the tpm2-tools to check the signature over the attestation structure.
> Looking at https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/tpm2_verifysignature.1.md I expected to perform
> something like the following (unfortunately I'm not able to retrieve the complete
> command history right now):
> tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx tpm2_load -C primary.ctx
> -u rsa.pub -r rsa.priv -c rsa.ctx tpm2_certify -c rsa.ctx -C certify.ctx -g sha256 -o
> attest.out -s sig.out tpm2_verifysignature -c rsa.ctx -g sha256 -m attest.out -s
> sig.out
> WARNING:esys:../tpm2-tss-2.3.2/src/tss2-
> esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish() Received
> TPM Error
> ERROR:esys:../tpm2-tss-2.3.2/src/tss2-
> esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature() Esys Finish ErrorCode
> (0x000002db)
> ERROR: Esys_VerifySignature(0x2DB) - tpm:parameter(2):the signature is not
> valid
> ERROR: Verify signature failed!
> ERROR: Unable to run tpm2_verifysignature
> Is anyone able to post a complete example to show how the output of
> tpm2_certify is verified, based on the attestation key used?
> [1] https://trustedcomputinggroup.org/wp-
> content/uploads/IWG_SKAE_Extension_1-00.pdf
> _______________________________________________
> tpm2 mailing list -- tpm2@lists.01.org
> To unsubscribe send an email to tpm2-leave@lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s