debian buster + PICO-APL3 with tpm(infenion optiga SLB 9665)
$apt install tpm2-tools
$ dmesg |grep tpm
[15.692814] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
$ tpm2_nvlist
0x1c00002:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 1177
0x1c0000a:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 781
$ tpm2_nvread -x 0x1c00002 -a 0x40000001 -o 0 > /tmp/0x1c00002.der
$ openssl x509 --inform der -noout -text -in /tmp/0x1c00002.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 99999999999 (0xfffffffff)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) RSA Manufacturing CA 011
Validity
Not Before: Aug 26 22:32:52 2016 GMT
Not After : Aug 26 22:32:52 2031 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d7:c9:a8:8b:b4:ab:84:58:71:44:7b:19:24:86:
71:95:b1:62:83:0a:3e:f9:bf:db:95:97:85:f3:0d:
85:42:61:78:e0:db:d2:34:6f:17:45:bd:6f:e0:5f:
4b:f1:8c:02:91:2c:d4:27:03:e1:79:28:a8:0a:fc:
c3:f6:fd:f9:46:fb:a9:4b:3c:c3:f7:ba:96:fa:14:
bc:27:11:60:fd:2d:17:af:78:9c:75:7a:c3:b1:12:
22:a0:a3:40:ce:30:b0:4a:6b:6d:49:1c:d9:9d:b4:
30:b1:fb:78:4a:2d:29:86:0e:33:d0:8b:d9:60:8b:
c1:ff:f1:dc:95:7a:d0:de:94:2a:90:71:68:ba:c5:
45:fb:1c:b7:fd:4e:7b:37:06:ce:d1:45:d6:bd:d7:
fd:84:a4:00:01:32:42:5e:81:e7:fb:bc:f1:b6:2f:
43:f4:7b:c3:96:44:f2:25:a0:8f:4b:59:66:5d:e7:
f3:e0:ef:7d:bd:5d:d9:eb:cd:e1:bb:6f:83:d9:db:
01:50:14:5a:e4:b1:b9:64:c4:a6:09:2b:06:09:ed:
9a:21:e6:a7:1d:67:7f:fc:ec:c7:7d:23:51:04:b5:
45:4e:a4:e1:f0:b0:46:06:74:ba:0c:56:4f:ab:27:
1f:fc:b2:d1:61:c5:d6:2a:dc:0d:e0:d5:3a:40:60:
b3:33
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://pki.infineon.com/OptigaRsaMfrCA011/OptigaRsaMfrCA011.crt
X509v3 Key Usage: critical
Key Encipherment
X509v3 Subject Alternative Name: critical
DirName:/2.23.133.2.1=id:00000000/2.23.133.2.2=SLB 9665/2.23.133.2.3=id:0000
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.infineon.com/OptigaRsaMfrCA011/OptigaRsaMfrCA011.crl
X509v3 Certificate Policies:
Policy: 1.2.276.0.68.1.20.1
X509v3 Authority Key Identifier:
keyid:5C:29:20:74:21:79:BC:70:4D:B1:D8:C5:4C:34:CA:94:40:56:17:CA
X509v3 Extended Key Usage:
2.23.133.8.1
X509v3 Subject Directory Attributes:
0...2.0.....t 0.0...g....1
Signature Algorithm: sha256WithRSAEncryption
53:62:ac:99:11:41:68:9f:5f:56:cd:f8:5e:8e:4f:fb:ac:95:
c7:bb:9d:85:ac:1e:7f:e2:82:54:78:ab:35:e4:69:79:63:45:
00:2a:a7:36:e2:db:e0:f9:75:41:11:62:21:63:7f:ed:1c:f4:
8d:53:b0:3a:2d:8b:74:68:24:53:78:98:56:e2:35:56:7e:29:
73:44:a6:d9:fa:67:7b:25:79:44:ad:13:3d:66:01:25:12:33:
0f:76:51:92:f2:36:10:6d:52:4f:5d:84:b8:fe:0d:01:b3:13:
46:82:68:e9:c3:ba:8f:62:fb:81:d8:f2:6d:ba:ca:e5:9b:77:
e3:bd:32:85:73:d2:7b:11:86:54:2a:d7:86:af:5e:2a:cd:17:
8c:eb:e2:de:98:c3:87:fa:2d:7e:1f:b1:ee:14:50:4e:2d:81:
91:22:a6:a8:43:34:64:6f:72:ee:48:70:80:db:6c:a5:72:ea:
c0:ec:ec:3f:48:9f:a5:dd:e6:43:fa:66:8b:f0:50:50:44:53:
94:89:3a:2d:02:cf:a4:6b:8d:7a:00:50:35:20:82:ab:91:c6:
ef:6e:9b:d7:da:1b:7c:6e:bb:1c:4d:10:51:ff:be:38:74:ff:
7e:27:3d:91:5d:61:3c:16:00:05:81:45:02:ff:36:33:67:2d:
ff:65:3f:10
$ tpm2_nvread -x 0x1c0000a -a 0x40000001 -o 0 > /tmp/0x1c0000a.der
$ openssl x509 --inform der -noout -text -in /tmp/0x1c0000a.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 00000000 (0xfffffff)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) TPM2.0, CN = Infineon OPTIGA(TM) ECC Manufacturing CA 011
Validity
Not Before: Aug 26 22:32:39 2016 GMT
Not After : Aug 26 22:32:39 2031 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e1:b7:a3:a4:6f:95:c6:2b:1f:47:fc:1f:bf:22:
9c:cc:40:7c:8d:08:d6:3f:6e:f8:d7:1a:a1:0e:de:
50:a8:c6:3f:e0:0c:c0:2e:47:fb:c6:d1:5a:a8:8c:
14:c4:f7:16:73:7e:76:f0:04:19:ad:8b:97:5f:21:
10:2c:39:16:f7
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://pki.infineon.com/OptigaEccMfrCA011/OptigaEccMfrCA011.crt
X509v3 Key Usage: critical
Key Agreement
X509v3 Subject Alternative Name: critical
DirName:/2.23.133.2.1=id:00000000/2.23.133.2.2=SLB 9665/2.23.133.2.3=id:0000
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.infineon.com/OptigaEccMfrCA011/OptigaEccMfrCA011.crl
X509v3 Certificate Policies:
Policy: 1.2.276.0.68.1.20.1
X509v3 Authority Key Identifier:
keyid:91:77:3C:B8:68:24:E1:C1:95:49:ED:8A:C1:33:DC:C6:A7:36:9B:85
X509v3 Extended Key Usage:
2.23.133.8.1
X509v3 Subject Directory Attributes:
0...2.0.....t 0.0...g....1
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:40:b1:84:6d:4a:f1:da:02:51:5f:7f:22:a5:2d:
64:fd:69:cd:3e:c2:e5:6c:10:b8:91:61:21:67:f4:7c:2d:52:
02:21:00:99:53:f0:4c:09:32:ea:04:18:1f:f2:08:61:65:87:
12:62:67:fd:55:20:a5:d4:f3:e5:65:41:36:a2:5c:ae:35