December 2019 - tpm2 - Ml01.01.Org

Re: How Is This Possible If There Are No Keys ? ? ?

by Frederick Gotham

On 12/5/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote: > No, you take your object context file and _choose_ the persistent handle to > store it under. I tried this: tpm2_loadexternal -G rsa -u public.pem -c key_context_file_for_tpm2 tpm2_evictcontrol -c key_context_file_for_tpm2 0x81010002 And here's how the output I got: WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:326:Esys_EvictControl_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x00000282) ERROR: Esys_EvictControl(0x282) - tpm:handle(2):inconsistent attributes ERROR:esys:src/tss2-esys/esys_tr.c:357:Esys_TR_Close() Error: Esys handle does not exist (70018). ERROR: Esys_TR_Close(0x70018) - esapi:0x18 ERROR: Unable to run tpm2_evictcontrol I've tried leaving out the "0x81010002" at the end but I get the same error output.

2 years, 8 months

3
2
0 / 0

Fwd: How Is This Possible If There Are No Keys ? ? ?

by Frederick Gotham

---------- Forwarded message ---------- From: Frederick Gotham <cauldwell.thomas(a)gmail.com> Date: Thu, 5 Dec 2019 12:48:46 +0000 Subject: Re: [tpm2] How Is This Possible If There Are No Keys ? ? ? To: "Fuchs, Andreas" <andreas.fuchs(a)sit.fraunhofer.de> On 12/5/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote: > Using tpm2_evictcontrol In order to use tpm2_evictcontrol, one needs a handle to an object. I am unable to get a handle to the object I loaded in, because "tpm2_getcap" returns nothing when I give it any of [transient, persistent, loaded_session, saved_session].

2 years, 8 months

1
0
0 / 0

Fwd: How Is This Possible If There Are No Keys ? ? ?

by Frederick Gotham

On 12/5/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote: > The key is inside key_context_file_for_tpm2 > > It's stored in there protected by a TPM-internal second key. > > When you call the command, it gets loaded into the TPM, used > to verify the signature and then flushed from the TPM again. When I reboot my device and then try to do the signature verification again, I get this back: tpm2_verifysignature -Q -c key_context_file_for_tpm2 -g sha256 -m rootfs_hacked.tar -f rsassa -s signature_file WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df) ERROR: Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Unable to run tpm2_verifysignature So after I reboot my device, I'm not able to use that "key_context_file_for_tpm2" again. So this would mean that I would have to load the pubilc key in again. I'm not allowed to store any RSA keys on the hard disk of my device. One of my boss's bosses has handed down an edict that all keys will be loaded into the TPM2 chip once in the factory, and after that there will be no RSA keys stored on the hard disk ever. How on earth can I get a public key persistently into the TPM2? If it turns out that I need to load the entire private-and-public-key-pair into the TPM2 chip in order to make it persistent, then I will do that.

2 years, 8 months

1
0
0 / 0

How Is This Possible If There Are No Keys ? ? ?

by Frederick Gotham

In previous messages I mentioned that I was using tpm2-pkcs11. I am no longer using tpm2-pkcs11. I am using tpm2-tools at the command line, and I'm using "device:/dev/tpmrm0". I am able to check a signature as follows: tpm2_verifysignature -T device -Q -c key_context_file_for_tpm2 -g sha256 -m rootfs_hacked.tar -f rsassa -s signature_file WARNING:esys:src/tss2-esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature() Esys Finish ErrorCode (0x000002db) ERROR: Esys_VerifySignature(0x2DB) - tpm:parameter(2):the signature is not valid ERROR: Verify signature failed! ERROR: Unable to run tpm2_verifysignature This signature check is working properly (i.e. I have altered the original file). Immediately after I check that signature, I run 4 commands: tpm2_getcap handles-transient tpm2_getcap handles-persistent tpm2_getcap handles-loaded-session tpm2_getcap handles-saved-session All four of these commands return nothing. So if there's no keys inside the TPM2 chip, then how is the signature verification working?

2 years, 8 months

2
1
0 / 0

./configure error for tpm2-abrmd Centos 7

by pneumiller＠directstream.com

I am using the instructions found in the INSTALL.md found at the tpm2-tools git repo. Any ideas/help would be greatly appreciated. ./configure error for tpm2-abrmd using the Dockerfile below. checking for TSS2_SYS... no configure: error: Package requirements (tss2-sys >= 2.0.0) were not met: No package 'tss2-sys' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables TSS2_SYS_CFLAGS and TSS2_SYS_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. FROM centos:7 # install build dependencies RUN yum clean all RUN yum install -y git make autoconf autoconf-archive automake libtool gcc gcc-c++ glibc-headers pkgconfig openssl-devel curl-devel epel-release pandoc doxygen cmake flex bison dbus RUN rm -rf /var/cache/yum RUN yum -y update && yum -y install automake libtool \ autoconf autoconf-archive libstdc++-devel gcc pkg-config \ uriparser-devel libgcrypt-devel dbus-devel glib2-devel \ compat-openssl10-devel libcurl-devel PyYAML # Install tpm2-tss WORKDIR /root RUN git clone https://github.com/tpm2-software/tpm2-tss WORKdIR /root/tpm2-tss RUN ./bootstrap RUN ./configure --prefix=/usr --disable-doxygen-doc RUN make -j5 RUN make install RUN export LD_LIBRARY_PATH=/usr/lib RUN ldconfig RUN PKG_CONFIG_PATH=/usr/lib/pkgconfig My Dockerfile # Install tpm2-abrmd WORKDIR /root RUN git clone https://github.com/tpm2-software/tpm2-abrmd WORKDIR /root/tpm2-abrmd RUN ./bootstrap RUN ./configure --with-dbuspolicydir=/etc/dbus-1/system.d \ --with-udevrulesdir=/usr/lib/udev/rules.d \ --with-systemdsystemunitdir=/usr/lib/systemd/system \ --libdir=/usr/lib64 --prefix=/usr RUN make -j5 RUN make install

2 years, 8 months

2
1
0 / 0

Trying to make a script to store keys

by Frederick Gotham

Here's what I've got in my script so far; - - - - - - - - Begin Script - - - - - - - - #!/bin/sh ABC_LABEL=`uuidgen -r` export TPM2_PKCS11_TCTI=device:/dev/tpmrm0 rm /root/private.pem > /dev/null 2>&1 openssl genrsa -out /root/private.pem 2048 # Not sure what the next line does but I'll do it anyway tpm2_clear # Clear out the objects in the TPM2's RAM tpm2_flushcontext -t tpm2_flushcontext -l tpm2_flushcontext -s # Clear out all persistent objects in cold storage tpm2_getcap handles-persistent | xargs -r -t -n1 tpm2_evictcontrol -c # We may as well clear it again (not sure what this does) tpm2_clear init() { ./tpm2_ptool init | rev | cut -d ' ' -f 1 | rev } ABC_PID="$(init)" ./tpm2_ptool addtoken --pid=${ABC_PID} --sopin=mysopin --userpin=123456 --label ${ABC_LABEL} ./tpm2_ptool import --userpin 123456 --privkey /root/private.pem --label ${ABC_LABEL} --algorithm rsa ssh-keygen -D libtpm2_pkcs11.so - - - - - - - - - End Script - - - - - - - - - The first problem I'm having here is that "flushcontext" isn't working. If I call it three times with three different argument (t,l,s), and then call ssh-keygen immediately afterward, then it shows that those transient keys are still in there.

2 years, 8 months

2
2
0 / 0

Mysterious Keys -- where are they?

by Frederick Gotham

I run the following at the command line: ssh-keygen -D libtpm2_pkcs11.so And here's the output I get: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrxtObHB3IwZi4HB5+DX2Cvc1P/2ttZqRP5rFzcpEdAjR7/sqjSWGEzldnxA1l1xygqkKYBUkCleo+LPbylBFrinahmxVpSemT/Vk75gwAwGeUdfshrnl03kyneRWgF/0jkpK98hqXTNBEamuCRdKnpNAjXP4EqYyKUwLOewq29l5aaIsYo1XGdl2MDdt3xlVzQ/3QVKxPI0Kx1bWrtyLM1yc6hz2bwDC/mhlIagLQJp5fChHblhfrqk0yY0s6PvZKeC2lY+11s4Ytg4ab4xjTaKH6CY43/Ihnjhm9QqJ4v2+9VmPHi/s4LjyVMTnUBVdrmPnGguKSZz1QjGXTUtP9 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjDU0id40tF8/h5NtkuxCTEaUhy38ZMMcHOlRUtCRkiZyZeAJ9guuhO49DkLBtc24p5VWMVg52irodqTLRvDKbq8o+CP5m7eXMJX+LtNaHogRH0y7n2T1mCZlFxC+IqfXcTJQG1RDQjXsyaWvsEwQrzPGXGv7ij0vONYOSLMVNk84vn3VaB/jtDwJs0bjymQW1ulNYryCG0P/XyK10E9A7eP9rT7JZh8P6LazTt2+1KuzEwfb299zV3E8U49AyzLRHq2L3cbsCcG94oIMAJsXWQJxqP4IfK3no57zLpSpPaSWGjuVOLP6fG/xCjjhPjA3kXgrhKgsMeqVypdZzn4vH ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bsueeBzYNAa5gIzt9Q3qk3rzpFqvayZw8hWEHVfVpCW+MMervLVSeAq9tapm+vwt3kH2CINAB5uUQeq3pxt1BB72isfwGAFJBvfXRNC+6Pvu+6jiYqDBMWQ+2TjF7bLPPHA+GYacol/eiQUmhT6pGoSJk0GuH83fmfV8dD8Zz5mKZbQlkdW4fvKpCtlf9kvN9rUkLEL0zSkYL1vZ5KUqtO9Aae6dgbiuocKgrDdfPPgxNvKUvUGLFTEbALgSGHEWZGAoi2O0MkyS9CxhyfRsNmOOMA+i8AfVNlYTwreyOD0qAOGzBdczVUM9207nwGvXHDkO8t8QHRslXvNWGanl ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfBbPT1ARqFc9QGGNIW9wZoXYnYl5tyW1UwrOWosF18GEc1AUcq/qIauqIvZTXbhD3wz0h3ZJXaTU59Mno33hH0yJzOMxEVO8QQwjE+q+PB58mdn4odZbq3hiAH9I+IX9Q3ZvmzG3i54MLeckbFX4FIie7x5Yz9E6y6ZQPsJUc+qO2PVg1FL375GJa+clPpI9eGCA7gwrQNq6EMHa0D07Nkn5ZoSGYl1pY/4DV8k1+WEtyVE629H0GAzsvppQwOxpaAjmGnZCl8KwkT+uylPIn3qc38o8NicMcojuFGTRynmYjrbTC9p0ehTBuYOYZpZZ9h5QmArgdIPlv+XUDkA3V ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCT0TSE2zcxcQ/asJxHfxbCS/jJPyitrDhlnNJ8sNV4Q5FKoSx1gjPbOpjZ035JInBIR17VeMpBzvBD6d1ylebDAkFuuCaUTaGbxwMRa2grg0nuBfA0V1wvOH9NetXjTNDdREUvi4JJGVOyi4D6pErSjf8CO5Ph6WPdT3TtOZAzh+7TsE3lbf/cqgK960N+qtoyTulGXQIu7vI+w8SAvWGDDugM7gZFP6H8yrsVpl6UkQdOKfhkx75y698tYSBQUgyXkrNB5oKl4qINfI2DWT8woME0n8H7Le3r2WTZESpp6ntPR6duiqcs6WY+R/4sn2bi7Sm5KSuV+4khNTVbzwJ So it looks like there's 5 keys inside my TPM2 chip somewhere. I wish I knew were. So now I try to get a list of all keys, by calling "tpm2_getcap" with every kind of parameter, as follows: tpm2_getcap --list | cut -d ' ' -f 2 | xargs -n1 -r -t tpm2_getcap The output I get from this command shows that there are no transient, persistent, loaded session, or saved session keys. If this is true then where are my 5 keys? And here's the ENTIRE output I get: tpm2_getcap algorithms rsa: value: 0x1 asymmetric: 1 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 sha1: value: 0x4 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 hmac: value: 0x5 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 aes: value: 0x6 asymmetric: 0 symmetric: 1 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 keyedhash: value: 0x8 asymmetric: 0 symmetric: 0 hash: 1 object: 1 reserved: 0x0 signing: 1 encrypting: 1 method: 0 xor: value: 0xA asymmetric: 0 symmetric: 1 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 sha256: value: 0xB asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 rsassa: value: 0x14 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 rsaes: value: 0x15 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0 rsapss: value: 0x16 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 oaep: value: 0x17 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0 ecdsa: value: 0x18 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 1 ecdh: value: 0x19 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 ecdaa: value: 0x1A asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 kdf1_sp800_56a: value: 0x20 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 kdf1_sp800_108: value: 0x22 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 ecc: value: 0x23 asymmetric: 1 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 symcipher: value: 0x25 asymmetric: 0 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 cfb: value: 0x43 asymmetric: 0 symmetric: 1 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0 tpm2_getcap commands TPM2_CC_NV_UndefineSpaceSpecial: value: 0x440011F commandIndex: 0x11f reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_EvictControl: value: 0x4400120 commandIndex: 0x120 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_HierarchyControl: value: 0x2C00121 commandIndex: 0x121 reserved1: 0x0 nv: 1 extensive: 1 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_UndefineSpace: value: 0x4400122 commandIndex: 0x122 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Clear: value: 0x2C00126 commandIndex: 0x126 reserved1: 0x0 nv: 1 extensive: 1 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ClearControl: value: 0x2400127 commandIndex: 0x127 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ClockSet: value: 0x2400128 commandIndex: 0x128 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_HierarchyChangeAuth: value: 0x2400129 commandIndex: 0x129 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_DefineSpace: value: 0x240012A commandIndex: 0x12a reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PCR_Allocate: value: 0x240012B commandIndex: 0x12b reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_SetPrimaryPolicy: value: 0x240012E commandIndex: 0x12e reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ClockRateAdjust: value: 0x2000130 commandIndex: 0x130 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_CreatePrimary: value: 0x12000131 commandIndex: 0x131 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_NV_Increment: value: 0x4400134 commandIndex: 0x134 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_SetBits: value: 0x4400135 commandIndex: 0x135 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_Extend: value: 0x4400136 commandIndex: 0x136 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_Write: value: 0x4400137 commandIndex: 0x137 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_WriteLock: value: 0x4400138 commandIndex: 0x138 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_DictionaryAttackLockReset: value: 0x2400139 commandIndex: 0x139 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_DictionaryAttackParameters: value: 0x240013A commandIndex: 0x13a reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_ChangeAuth: value: 0x240013B commandIndex: 0x13b reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PCR_Event: value: 0x240013C commandIndex: 0x13c reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PCR_Reset: value: 0x240013D commandIndex: 0x13d reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_SequenceComplete: value: 0x300013E commandIndex: 0x13e reserved1: 0x0 nv: 0 extensive: 0 flushed: 1 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_IncrementalSelfTest: value: 0x400142 commandIndex: 0x142 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_SelfTest: value: 0x400143 commandIndex: 0x143 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Startup: value: 0x400144 commandIndex: 0x144 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Shutdown: value: 0x400145 commandIndex: 0x145 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_StirRandom: value: 0x400146 commandIndex: 0x146 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ActivateCredential: value: 0x4000147 commandIndex: 0x147 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Certify: value: 0x4000148 commandIndex: 0x148 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyNV: value: 0x6000149 commandIndex: 0x149 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x3 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_CertifyCreation: value: 0x400014A commandIndex: 0x14a reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Duplicate: value: 0x400014B commandIndex: 0x14b reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_GetSessionAuditDigest: value: 0x600014D commandIndex: 0x14d reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x3 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_Read: value: 0x400014E commandIndex: 0x14e reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_ReadLock: value: 0x400014F commandIndex: 0x14f reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ObjectChangeAuth: value: 0x4000150 commandIndex: 0x150 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicySecret: value: 0x4000151 commandIndex: 0x151 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Create: value: 0x2000153 commandIndex: 0x153 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ECDH_ZGen: value: 0x2000154 commandIndex: 0x154 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_HMAC: value: 0x2000155 commandIndex: 0x155 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Import: value: 0x2000156 commandIndex: 0x156 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Load: value: 0x12000157 commandIndex: 0x157 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_Quote: value: 0x2000158 commandIndex: 0x158 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_RSA_Decrypt: value: 0x2000159 commandIndex: 0x159 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_HMAC_Start: value: 0x1200015B commandIndex: 0x15b reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_SequenceUpdate: value: 0x200015C commandIndex: 0x15c reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Sign: value: 0x200015D commandIndex: 0x15d reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Unseal: value: 0x200015E commandIndex: 0x15e reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicySigned: value: 0x4000160 commandIndex: 0x160 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ContextLoad: value: 0x10000161 commandIndex: 0x161 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_ContextSave: value: 0x2000162 commandIndex: 0x162 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ECDH_KeyGen: value: 0x2000163 commandIndex: 0x163 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_FlushContext: value: 0x165 commandIndex: 0x165 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_LoadExternal: value: 0x10000167 commandIndex: 0x167 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_MakeCredential: value: 0x2000168 commandIndex: 0x168 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_NV_ReadPublic: value: 0x2000169 commandIndex: 0x169 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyAuthorize: value: 0x200016A commandIndex: 0x16a reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyAuthValue: value: 0x200016B commandIndex: 0x16b reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyCommandCode: value: 0x200016C commandIndex: 0x16c reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyCounterTimer: value: 0x200016D commandIndex: 0x16d reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyCpHash: value: 0x200016E commandIndex: 0x16e reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyLocality: value: 0x200016F commandIndex: 0x16f reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyNameHash: value: 0x2000170 commandIndex: 0x170 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyOR: value: 0x2000171 commandIndex: 0x171 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyTicket: value: 0x2000172 commandIndex: 0x172 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ReadPublic: value: 0x2000173 commandIndex: 0x173 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_RSA_Encrypt: value: 0x2000174 commandIndex: 0x174 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_StartAuthSession: value: 0x14000176 commandIndex: 0x176 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x2 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_VerifySignature: value: 0x2000177 commandIndex: 0x177 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ECC_Parameters: value: 0x178 commandIndex: 0x178 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_GetCapability: value: 0x17A commandIndex: 0x17a reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_GetRandom: value: 0x17B commandIndex: 0x17b reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_GetTestResult: value: 0x17C commandIndex: 0x17c reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Hash: value: 0x17D commandIndex: 0x17d reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PCR_Read: value: 0x17E commandIndex: 0x17e reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyPCR: value: 0x200017F commandIndex: 0x17f reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyRestart: value: 0x2000180 commandIndex: 0x180 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_ReadClock: value: 0x181 commandIndex: 0x181 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PCR_Extend: value: 0x2400182 commandIndex: 0x182 reserved1: 0x0 nv: 1 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_EventSequenceComplete: value: 0x5400185 commandIndex: 0x185 reserved1: 0x0 nv: 1 extensive: 0 flushed: 1 cHandles: 0x2 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_HashSequenceStart: value: 0x10000186 commandIndex: 0x186 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 1 V: 0 Res: 0x0 TPM2_CC_PolicyDuplicationSelect: value: 0x2000188 commandIndex: 0x188 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyGetDigest: value: 0x2000189 commandIndex: 0x189 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_TestParms: value: 0x18A commandIndex: 0x18a reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x0 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_Commit: value: 0x200018B commandIndex: 0x18b reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyPassword: value: 0x200018C commandIndex: 0x18c reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_PolicyNvWritten: value: 0x200018F commandIndex: 0x18f reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 0 Res: 0x0 TPM2_CC_FieldUpgradeStart: value: 0x2200012F commandIndex: 0x12f reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 1 Res: 0x0 0x22000400: value: 0x22000400 commandIndex: 0x400 reserved1: 0x0 nv: 0 extensive: 0 flushed: 0 cHandles: 0x1 rHandle: 0 V: 1 Res: 0x0 tpm2_getcap pcrs selected-pcrs: - sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] - sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] tpm2_getcap properties-fixed TPM2_PT_FAMILY_INDICATOR: raw: 0x322E3000 value: "2.0" TPM2_PT_LEVEL: raw: 0 TPM2_PT_REVISION: value: 1.16 TPM2_PT_DAY_OF_YEAR: raw: 0xF TPM2_PT_YEAR: raw: 0x7E0 TPM2_PT_MANUFACTURER: raw: 0x49465800 value: "IFX" TPM2_PT_VENDOR_STRING_1: raw: 0x534C4239 value: "SLB9" TPM2_PT_VENDOR_STRING_2: raw: 0x36363500 value: "665" TPM2_PT_VENDOR_STRING_3: raw: 0x0 value: "" TPM2_PT_VENDOR_STRING_4: raw: 0x0 value: "" TPM2_PT_VENDOR_TPM_TYPE: raw: 0x0 TPM2_PT_FIRMWARE_VERSION_1: raw: 0x5003E TPM2_PT_FIRMWARE_VERSION_2: raw: 0xC3600 TPM2_PT_INPUT_BUFFER: raw: 0x400 TPM2_PT_HR_TRANSIENT_MIN: raw: 0x3 TPM2_PT_HR_PERSISTENT_MIN: raw: 0x7 TPM2_PT_HR_LOADED_MIN: raw: 0x3 TPM2_PT_ACTIVE_SESSIONS_MAX: raw: 0x40 TPM2_PT_PCR_COUNT: raw: 0x18 TPM2_PT_PCR_SELECT_MIN: raw: 0x3 TPM2_PT_CONTEXT_GAP_MAX: raw: 0xFFFF TPM2_PT_NV_COUNTERS_MAX: raw: 0x8 TPM2_PT_NV_INDEX_MAX: raw: 0x680 TPM2_PT_MEMORY: raw: 0x6 TPM2_PT_CLOCK_UPDATE: raw: 0x80000 TPM2_PT_CONTEXT_HASH: raw: 0xB TPM2_PT_CONTEXT_SYM: raw: 0x6 TPM2_PT_CONTEXT_SYM_SIZE: raw: 0x80 TPM2_PT_ORDERLY_COUNT: raw: 0xFF TPM2_PT_MAX_COMMAND_SIZE: raw: 0x500 TPM2_PT_MAX_RESPONSE_SIZE: raw: 0x500 TPM2_PT_MAX_DIGEST: raw: 0x20 TPM2_PT_MAX_OBJECT_CONTEXT: raw: 0x3B8 TPM2_PT_MAX_SESSION_CONTEXT: raw: 0xEB TPM2_PT_PS_FAMILY_INDICATOR: raw: 0x1 TPM2_PT_PS_LEVEL: raw: 0x0 TPM2_PT_PS_REVISION: raw: 0x100 TPM2_PT_PS_DAY_OF_YEAR: raw: 0x0 TPM2_PT_PS_YEAR: raw: 0x0 TPM2_PT_SPLIT_MAX: raw: 0x80 TPM2_PT_TOTAL_COMMANDS: raw: 0x5B TPM2_PT_LIBRARY_COMMANDS: raw: 0x59 TPM2_PT_VENDOR_COMMANDS: raw: 0x2 TPM2_PT_NV_BUFFER_MAX: raw: 0x300 tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 1 TPM2_PT_HR_NV_INDEX: 0x2 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x12 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 tpm2_getcap ecc-curves TPM2_ECC_NIST_P256: 0x3 TPM2_ECC_BN_P256: 0x10 tpm2_getcap handles-transient tpm2_getcap handles-persistent tpm2_getcap handles-permanent - 0x40000001 - 0x40000007 - 0x40000009 - 0x4000000A - 0x4000000B - 0x4000000C - 0x4000000D tpm2_getcap handles-pcr - 0x0 - 0x1 - 0x2 - 0x3 - 0x4 - 0x5 - 0x6 - 0x7 - 0x8 - 0x9 - 0xA - 0xB - 0xC - 0xD - 0xE - 0xF - 0x10 - 0x11 - 0x12 - 0x13 - 0x14 - 0x15 - 0x16 - 0x17 tpm2_getcap handles-nv-index - 0x1C00002 - 0x1C0000A tpm2_getcap handles-loaded-session tpm2_getcap handles-saved-session

2 years, 8 months

2
1
0 / 0

RSA key pairs are gone when I reboot

by Frederick Gotham

I use OpenSSL to generate an RSA key pair: openssl genrsa -out private.pem 2048 I then use the utility "tpm2_ptool" to load the key pair into the TPM2 chip: tpm2_ptool init tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=123456 --label monkey tpm2_ptool import --userpin 123456 --privkey private.pem --label monkey --algorithm rsa I am able to confirm that the key pair is inside the TPM2 chip by using ssh-keygen: ssh-keygen -D libtpm2_pkcs11.so The output from ssh-keygen confirms that the keys are in there. Next. . . I reboot my device, and the keypair is gone. It's no longer in there. So it appears that the key was only in RAM and then it gets wiped upon reboot. How do I store an RSA key pair persistently/permanently inside the TPM2 chip?

2 years, 8 months

3
2
0 / 0

wpa_supplicant fails to use tpm2_pkcs11 key

by Ignacio Jaureguiberry

I'm trying to use pkcs11 to authenticate a Wifi client using wpa_supplicant against a radius server (EAP-TLS auth using server and client certificates, no password) using a tpm2 private key. I've installed tpm2-tss 2.3.x branch, tpm2-tools master and tpm2-pkcs11 master. System is ubuntu server 18.04. I'm using p11tools and opensc to add pkcs11 support to wpa. All software except tpm2-* are from official ubuntu repositories. I ran the pkcs11 store initialization as specified in the docs: ``` tpm2_ptool init tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label tpm2_ptool addkey --algorithm rsa2048 --label label --userpin myuserpin ``` I've created a CSR using the tpm2 key: ``` openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:model=Intel;manufacturer=Intel;serial=0000000000000000;token=label;id=%37%61%61%37%62%33%33%33%35%62%37%64%62%37%37%30;object=3;type=secret-key;pin-value=myuserpin" -out client5.csr ``` Then moved the CSR to the radius server to create the certificate. The result of some steps is a client_tpm.pem file. Finally I'm running wpa_supplicant with this wpa.conf config file: ``` # Configure OpenSSL to load the PKCS#11 engine and tpm2-pkcs11 module pkcs11_engine_path=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so pkcs11_module_path=/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so network={ ssid="TPMAP" key_mgmt=WPA-EAP eap=TLS identity="testing" # use OpenSSL PKCS#11 engine for this network engine=1 engine_id="pkcs11" pin="myuserpin" # select the private key on ID (output from p11tool above) key_id="62356461333863313935373361313763" # CA certificate and client signed certificate paths ca_cert="/root/wpa_supplicant/ca.pem" client_cert="/root/wpa_supplicant/client_tpm.pem" } ``` ``` TPM2_PKCS11_LOG_LEVEL=2 wpa_supplicant -c wpa.conf -i wlp1s0 ``` This doesn't work, output (truncated to relevant section only) is: ``` wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp1s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 INFO on line: "390" in file: "src/pkcs11.c": enter "C_GetFunctionList" INFO on line: "390" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0 INFO on line: "378" in file: "src/pkcs11.c": enter "C_Initialize" INFO on line: "1737" in file: "src/lib/db.c": Using sqlite3 DB: "/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3" INFO on line: "337" in file: "src/lib/tpm.c": tcti=(null) INFO on line: "378" in file: "src/pkcs11.c": return "C_Initialize" value: 0 INFO on line: "386" in file: "src/pkcs11.c": enter "C_GetInfo" WARNING on line: "56" in file: "src/lib/general.c": Could not strtoul(6c80e77): Success INFO on line: "386" in file: "src/pkcs11.c": return "C_GetInfo" value: 0 INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList" INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList" INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 INFO on line: "398" in file: "src/pkcs11.c": enter "C_GetSlotInfo" INFO on line: "398" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0 INFO on line: "402" in file: "src/pkcs11.c": enter "C_GetTokenInfo" INFO on line: "402" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0 INFO on line: "430" in file: "src/pkcs11.c": enter "C_OpenSession" INFO on line: "430" in file: "src/pkcs11.c": return "C_OpenSession" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "442" in file: "src/pkcs11.c": enter "C_GetSessionInfo" INFO on line: "442" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0 INFO on line: "454" in file: "src/pkcs11.c": enter "C_Login" INFO on line: "454" in file: "src/pkcs11.c": return "C_Login" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 wlp1s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin(a)example.org/CN=Example Certificate Authority' hash=4953d5815718f3e6c082969bd950d84c1b8dbba87cb45c4b15335387b34abdb8 wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin(a)example.org' hash=677cee54ddad924c818909397a5b3d1a8ff64d45ab8796648d47aa5fdc2d3f8f INFO on line: "550" in file: "src/pkcs11.c": enter "C_SignInit" INFO on line: "550" in file: "src/pkcs11.c": return "C_SignInit" value: 112 SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error OpenSSL: openssl_handshake - SSL_connect error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid OpenSSL: pending error: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib ^Cnl80211: deinit ifname=p2p-dev-wlp1s0 disabled_11b_rates=0 p2p-dev-wlp1s0: CTRL-EVENT-TERMINATING wlp1s0: CTRL-EVENT-DISCONNECTED bssid=58:6d:8f:9d:2f:9e reason=3 locally_generated=1 nl80211: deinit ifname=wlp1s0 disabled_11b_rates=0 wlp1s0: CTRL-EVENT-TERMINATING INFO on line: "438" in file: "src/pkcs11.c": enter "C_CloseAllSessions" INFO on line: "438" in file: "src/pkcs11.c": return "C_CloseAllSessions" value: 0 ``` I've found some related issues, but I'm not sure it's the same problem: https://bugzilla.redhat.com/show_bug.cgi?id=1685470 https://forums.openvpn.net/viewtopic.php?f=6&t=28181 http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for... They mention that OpenSSL is expecting a raw signature and pkcs11 is returning something else, but I'm not certain if this is actually the case and if so, how can I fix it. Can anyone give me pointer on what else to try? Is this an OpenSSL bug or can be solved from the tpm2-pkcs11 side?

2 years, 8 months

5
15
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 December 2019