FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

using STPM4RasPI / STSAFE private key for Python MQTT mTLS client on Raspberry Pi

PranavSangar
Associate

‎2025-11-25 1:16 AM - last edited on ‎2025-12-01 3:08 AM by

I hope you are well. I am working at C-DAC Bangalore, and I need guidance on using an ST-SAFE(STPM4RasPI) secure element / TPM module with a Python-based MQTT mTLS client on a Raspberry Pi.
 
A short summary of our setup and goal:
 
  • MQTT broker is already configured for mutual TLS (mTLS).
     
  • Client device: Raspberry Pi .
     
  • Goal: build a Python-based MQTT client that uses the private key stored inside the ST TPM/STSAFE module during the TLS handshake (so the private key never leaves the secure element).
     
Specifically, we would like to know:
 
  1. Supported approaches / APIs: Which approaches or libraries do you recommend to make a Python TLS client use the TPM-held private key? (For example: ST library/SDK, or other middleware.)
     
  2. Python ecosystem support: Are there recommended Python libraries or examples for MQTT clients (e.g., paho-mqtt or other clients) that can be configured to use a TPM-backed key for TLS?
 
We would greatly appreciate sample code snippets or a short how-to showing a Python MQTT client using a TPM-backed key during TLS.
Labels:
0 Kudos
2 REPLIES 2
Benjamin BARATTE
ST Employee

‎2025-12-17 7:24 AM

Hi @PranavSangar,

 

Thanks for your interest in STSAFE-TPM solution.

 

One point to high is that the STSAFE-TPM is implementing TPM2.0 specification from TCG.

Therefore, STSAFE-TPM is compatible with TPM2.0 API.

That being said, to use a TPM in a Linux environment you will use several layers to achieve your goal.

In your context, the MQTT client relies on crypto library like OpenSSL.

 

In such case, you can check how to configure OpenSSL provider to use TPM (https://github.com/tpm2-software/tpm2-openssl).

 

To use the OpenSSL provider, you can configure it with openssl.cnf in the context of your MQTT client. In that case, the cryptography will be managed by the TPM provider.

 

Unfortunately, I don't have code snippet to provide you. 

I have seen that paho-mqtt is using OpenSSL. This could be an interesting setup to explore.

 

Best Regards,

 

Benjamin

 

 

0 Kudos
PranavSangar
Associate
In response to Benjamin BARATTE

‎2025-12-19 4:18 AM

Hello,

Thank you for the suggestion.

I have already configured OpenSSL to use the TPM2 provider via openssl.cnf, so that cryptographic operations are handled by the TPM provider.

Below is the openssl.cnf file currently in use:

 

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
default = default_sect
tpm2 = tpm2_sect

[default_sect]
activate = 1

[tpm2_sect]
module = /usr/local/lib/ossl-modules/tpm2.so
activate = 1

[algorithm_sect]

 

With this configuration:

  • OpenSSL successfully loads the tpm2 provider

  • Key operations work correctly when using TPM context files

However, the issue I am facing is specifically with using a TPM persistent handle (for example 0x81010001) in my MQTT client configuration.

When I try to reference the persistent handle (e.g. -key handle:0x81010001 or equivalent in the MQTT client), OpenSSL is not able to use the key, even though:

  • The handle exists in TPM (tpm2_getcap handles-persistent)

  • The same key works when referenced via a context file

So the problem is not provider loading, but persistent handle usage with OpenSSL + TPM2 provider in an MQTT/mTLS flow.

Could you please clarify:

  • Whether persistent handles are officially supported by the OpenSSL TPM2 provider for TLS client authentication

  • Or if only TPM context files are expected to be used with OpenSSL-based MQTT clients

Any guidance or reference documentation would be very helpful.

Thank you.

0 Kudos
Top