Lib.rs

Cryptography
#tls #tpm #rustls #tonic #signer

bin+lib rustls-tpm-signer

A package that allows to use a TPM as a custom signer in rustls and tonic

Owned by Mangelmesa.

1 unstable release

0.1.0 Sep 23, 2025

#2035 in Cryptography

Download history 129/week @ 2025-09-23 15/week @ 2025-09-30 1/week @ 2025-10-07 7/week @ 2025-10-14 15/week @ 2025-10-21 19/week @ 2025-10-28 25/week @ 2025-11-04

66 downloads per month

MIT license

45KB
955 lines

Rustls TPM Signer:TPM 2.0 bridge for rustls

This crate allows you to use a TPM persistent key together with rustls for client and server verification in TLS (mTLS). Instead of having the external private key file, you call the TPM to perform the necessary crypto operations during TLS. This library has been developed with the TPM SLB9672 in mind.

Supported hashes: SHA-256, SHA-384

Supported signature algorithms: RSA-PKCS1, RSA-PSS, ECDSA

Based on the code in rustls-cng, using the rust-tss-esapi for TPM related key management.

Usage

The central struct to use is TpmSigningKey which can be used in rustls in the custom ResolvesServerCert or ResolvesClientCert implementation. See here for more information about the custom private key usage in rustls.

Importing key to TPM

To run the examples, you can use the certificates, keys and CAs in the data folder. For the client, you must import the key to the TPM. Note that this should not be used in production, as it is much more secure to generate the private key inside of the TPM. The steps to import are:

tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
tpm2_import -C parent.ctx -G ecc -i client.key -u client.pub -r client.priv
tpm2_load -C parent.ctx -u client.pub -r client.priv -c client.ctx
tpm2_evictcontrol -C o -c client.ctx 0x81010004

Where a TPM primary key is generate to import the key, to then load it and make it persistant in the TPM. You can choose any free handle of the TPM, check them with tpm2_getcap handles-persistent.

Examples

This crate contains several examples, for both a normal TLS connection between client and server, as well as an mTLS connection using rustls and tonic Channels:

TLS

For the Server, the TPM key handle format expected is 0x810100x:

cargo run --bin server <path-to-server-cert> <TPM-key-handle> <port>

For example, using the provided certificates and keys:

cargo run --bin server data/client.crt <TPM-key-handle> 8000

For the Client:

cargo run --bin client <server-uri> <root-ca-for-server-cert> <port>

For example, using the provided certificates and keys:

cargo run --bin client 127.0.0.1 data/rootCA.crt <port>

TONIC Channel

This example uses the tonic::transport::ServerTlsConfig that Tonic provides given that it doesn't require the custom signer with the TPM. The tonic::transport::Channel with the custom rustls signer is used in the client.

For example, using the provided certificates and keys:

cargo run --bin tonic-server data/server.crt data/server.key data/rootCA.crt <port>

For example, using the provided certificates and keys:

cargo run --bin tonic-client data/rootCA.crt <port> data/client.crt <TPM-key-handle>

Running the tests

You can run the test with cargo test. Note that for testing it is required to first have imported the TPM key in data to the handle 0x81010004

Dependencies

~21–35MB
~645K SLoC