Thanks for proving a CAB file with all of the TPM root CAs and OEM intermediate certs. Unfortunately the intermediate files for ST Micro seem to be corrupted? OpenSSL won't process them:
% openssl x509 -inform DER -in "STM TPM EK Intermediate CA 05.crt"
unable to load certificate
140010300105152:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
asn1parse reports that the serial number is a _BAD INTEGER_:
% openssl asn1parse -inform DER -in "STM TPM EK Intermediate CA 05.crt"
0:d=0 hl=4 l= 972 cons: SEQUENCE
4:d=1 hl=4 l= 692 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 4 prim: INTEGER :BAD INTEGER:[00000006]
19:d=2 hl=2 l= 13 cons: SEQUENCE
21:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
32:d=3 hl=2 l= 0 prim: NULL
34:d=2 hl=2 l= 74 cons: SEQUENCE
36:d=3 hl=2 l= 11 cons: SET
38:d=4 hl=2 l= 9 cons: SEQUENCE
40:d=5 hl=2 l= 3 prim: OBJECT :countryName
45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CH
49:d=3 hl=2 l= 30 cons: SET
51:d=4 hl=2 l= 28 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :organizationName
58:d=5 hl=2 l= 21 prim: PRINTABLESTRING :STMicroelectronics NV
...
Downloading the original version of that cert from GlobalSign (which is linked from STM's TPM EK datasheet) parses fine:
% openssl x509 -inform DER -in stmtpmekint05.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1073741830 (0x40000006)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Root CA
Validity
Not Before: Oct 10 00:00:00 2015 GMT
Not After : Dec 31 00:00:00 2035 GMT
Subject: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Intermediate CA 05
...
% openssl asn1parse -inform DER -in stmtpmekint05.crt
0:d=0 hl=4 l= 972 cons: SEQUENCE
4:d=1 hl=4 l= 692 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 4 prim: INTEGER :40000006
19:d=2 hl=2 l= 13 cons: SEQUENCE
21:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
32:d=3 hl=2 l= 0 prim: NULL
34:d=2 hl=2 l= 74 cons: SEQUENCE
36:d=3 hl=2 l= 11 cons: SET
38:d=4 hl=2 l= 9 cons: SEQUENCE
40:d=5 hl=2 l= 3 prim: OBJECT :countryName
45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CH
49:d=3 hl=2 l= 30 cons: SET
51:d=4 hl=2 l= 28 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :organizationName
58:d=5 hl=2 l= 21 prim: PRINTABLESTRING :STMicroelectronics NV
...
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Disclaimer: I am not affiliated with Microsoft or the Microsoft Docs teams.
Thank you for this practical and (hopefully) useful feedback.
Please be patient, it may be a while before the team or the author will have time to post their replies.
Stay safe and well.
We're currently looking into this issue, please give us a couple of weeks to resolve this. Appreciate your patience!
Thank you for the update. Happy to see that there is still hope for this to be resolved.
According to this tweet by @ronaig:
Non-conformant intermediate certs have been reissued with updated serial # and can be downloaded from STM website. Old certs are in TrustedTPM cab to support TPMs that reference older intermediate certs.
Will the TrustedTPM.cab be updated to contain the new certs?
Yes we will update the TrustedTPM.cab but cant state the exact date/time..