Windowsserverdocs: Bad TPM OEM certs

Created on 27 May 2020  Â·  5Comments  Â·  Source: MicrosoftDocs/windowsserverdocs

Thanks for proving a CAB file with all of the TPM root CAs and OEM intermediate certs. Unfortunately the intermediate files for ST Micro seem to be corrupted? OpenSSL won't process them:

% openssl x509 -inform DER -in "STM TPM EK Intermediate CA 05.crt"
unable to load certificate
140010300105152:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509

asn1parse reports that the serial number is a _BAD INTEGER_:

% openssl asn1parse -inform DER -in "STM TPM EK Intermediate CA 05.crt"
    0:d=0  hl=4 l= 972 cons: SEQUENCE          
    4:d=1  hl=4 l= 692 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   4 prim: INTEGER           :BAD INTEGER:[00000006]
   19:d=2  hl=2 l=  13 cons: SEQUENCE          
   21:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   32:d=3  hl=2 l=   0 prim: NULL              
   34:d=2  hl=2 l=  74 cons: SEQUENCE          
   36:d=3  hl=2 l=  11 cons: SET               
   38:d=4  hl=2 l=   9 cons: SEQUENCE          
   40:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   45:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CH
   49:d=3  hl=2 l=  30 cons: SET               
   51:d=4  hl=2 l=  28 cons: SEQUENCE          
   53:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   58:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :STMicroelectronics NV
...

Downloading the original version of that cert from GlobalSign (which is linked from STM's TPM EK datasheet) parses fine:

% openssl x509 -inform DER -in stmtpmekint05.crt  -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1073741830 (0x40000006)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Root CA
        Validity
            Not Before: Oct 10 00:00:00 2015 GMT
            Not After : Dec 31 00:00:00 2035 GMT
        Subject: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Intermediate CA 05
...
% openssl asn1parse -inform DER -in stmtpmekint05.crt 
    0:d=0  hl=4 l= 972 cons: SEQUENCE          
    4:d=1  hl=4 l= 692 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   4 prim: INTEGER           :40000006
   19:d=2  hl=2 l=  13 cons: SEQUENCE          
   21:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   32:d=3  hl=2 l=   0 prim: NULL              
   34:d=2  hl=2 l=  74 cons: SEQUENCE          
   36:d=3  hl=2 l=  11 cons: SET               
   38:d=4  hl=2 l=   9 cons: SEQUENCE          
   40:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   45:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CH
   49:d=3  hl=2 l=  30 cons: SET               
   51:d=4  hl=2 l=  28 cons: SEQUENCE          
   53:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   58:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :STMicroelectronics NV
...

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri2 security-guarded-fabritech windows-serveprod

All 5 comments

Disclaimer: I am not affiliated with Microsoft or the Microsoft Docs teams.

Thank you for this practical and (hopefully) useful feedback.
Please be patient, it may be a while before the team or the author will have time to post their replies.
Stay safe and well.

We're currently looking into this issue, please give us a couple of weeks to resolve this. Appreciate your patience!

Thank you for the update. Happy to see that there is still hope for this to be resolved.

According to this tweet by @ronaig:

Non-conformant intermediate certs have been reissued with updated serial # and can be downloaded from STM website. Old certs are in TrustedTPM cab to support TPMs that reference older intermediate certs.

Will the TrustedTPM.cab be updated to contain the new certs?

Yes we will update the TrustedTPM.cab but cant state the exact date/time..

Was this page helpful?
0 / 5 - 0 ratings

Related issues

carlosmayol picture carlosmayol  Â·  4Comments

aurelien-git picture aurelien-git  Â·  3Comments

SimonWaters picture SimonWaters  Â·  5Comments

yoshihirok picture yoshihirok  Â·  4Comments

janis-veinbergs picture janis-veinbergs  Â·  5Comments