Hi William,

Yes. It actually came to mind that my TPM might be faulty. But I had a colleague running the script and he got exactly the same error, so it seems there is a bug in the padding routine.


Den ons 11 dec. 2019 kl 16:50 skrev Roberts, William C <william.c.roberts@intel.com>:
Sounds like a possible issue in our TPM2 structures to signature format routine or the TPM itself:
https://github.com/tpm2-software/tpm2-tools/blob/master/lib/tpm2_convert.c#L467

Looks like the script has an rsa key, so you should get a signature scheme of:
TPM2_ALG_RSASSA

Which is just a straight memcpy from the TPM.

Perhaps, the TPM is either getting it wrong or we need to call some magic OSSL padding routine?


> -----Original Message-----
> From: Niklas Andersson [mailto:niklas.andersson@fredenheim.se]
> Sent: Wednesday, December 11, 2019 4:58 AM
> To: tpm2@lists.01.org
> Subject: [tpm2] Re: tpm2_create signature verification fails due to
> "RSA_padding_check_PKCS_type1:invalid padding"
>
> Here is the test case that explains the issue. Not sure if I am missing something. I
> believe the certify.SIGNATURE is corrupt.
>
>
> #!/bin/bash
>
> srk_handle=0x81000003
> ek_handle=0x81010001
>
> # IDevID
> tpm2_createak \
> --ek-context=$ek_handle \
> --ak-context=IDevID.ctx \
> --key-algorithm=rsa \
> --hash-algorithm=sha1 \
> --public=IDevID.pub \
> --private=IDevID.priv
> # --signing-algorithm=sha1
>
> # LDevID
> tpm2_create \
> --parent-context=$srk_handle \
> --hash-algorithm=sha1 \
> --key-algorithm=rsa2048 \
> --public=LDevID.pub \
> --private=LDevID.priv \
> --creation-data=LDevID.CREATION_DATA \
> --creation-hash=LDevID.CREATION_HASH \
> --creation-ticket=LDevID.CREATION_TICKET
>
> tpm2_load \
> --parent-context=$srk_handle \
> --public=LDevID.pub \
> --private=LDevID.priv \
> --key-context=LDevID.ctx
>
> # Certify
> tpm2_certify \
> --certifiedkey-context=LDevID.ctx \
> --signingkey-context=IDevID.ctx \
> --hash-algorithm=sha1 \
> --attestation=certify.ATTESTATION \
> --signature=certify.SIGNATURE \
> --format=plain
>
> # Certify Creation
> tpm2_certifycreation \
> --certifiedkey-context=LDevID.ctx \
> --signingkey-context=IDevID.ctx \
> --hash-algorithm=sha1 \
> --creation-hash=LDevID.CREATION_HASH \
> --ticket=LDevID.CREATION_TICKET \
> --signature=certifycreation.SIGNATURE \
> --attestation=certifycreation.ATTESTATION \ --format=plain
>
> # IDevID.der
> echo 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA' | openssl base64
> -a -d > IDevID.header.temp dd if=IDevID.pub bs=1 skip=$(expr $(stat --
> format=%s IDevID.pub) - 256) of=IDevID.modulus.temp echo -en '\x02\x03' >
> IDevID.mid-header.temp echo -ne '\x01\x00\x01' > IDevID.exponent.temp cat
> IDevID.header.temp IDevID.modulus.temp IDevID.mid-header.temp
> IDevID.exponent.temp > IDevID.der
>
> # Remove first two bytes (byte size of struct) in certifycreation.ATTESTATION # in
> order for hash to comply. Magic Header" must be ff 54 43 47 dd
> if=certifycreation.ATTESTATION of=certifycreation.ATTESTATION_2 bs=1 skip=2
>
> # WORKS: Verify Certify Creation
> openssl dgst \
> -verify IDevID.der -keyform der \
> -sha1 -signature certifycreation.SIGNATURE certifycreation.ATTESTATION_2
>
> # FAILS: Verify Create
> openssl dgst \
> -verify IDevID.der -keyform der \
> -sha1 -signature certify.SIGNATURE certify.ATTESTATION
>
> # WORKS:
> openssl rsautl \
> -verify \
> -pubin -inkey IDevID.der -keyform DER \
> -in certifycreation.SIGNATURE \
> -out certifycreation.SIGNATURE.asn1
>
> dumpasn1 certifycreation.SIGNATURE.asn1
>
> # FAILS:
> openssl rsautl \
> -verify \
> -pubin -inkey IDevID.der -keyform DER \
> -in certify.SIGNATURE \
> -out certify.SIGNATURE.asn1
>
> Den tis 10 dec. 2019 kl 23:40 skrev Niklas Andersson
> <niklas.andersson@fredenheim.se <mailto:niklas.andersson@fredenheim.se> >:
>
>
>       openssl can not verify plain signature (256 bytes) from tpm2_certify due
> to bad padding.
>
>       This should work (verification of signature from tpm2_certifycreation
> works fine):
>
>       openssl dgst -verify ../AIKOpaque.der -keyform der -sha1 -signature
> Signature KeyAttest.bin
>       Verification Failure
>
>       ....examine:
>
>       openssl rsautl -verify -inkey ../AIKOpaque.der -in Signature -pubin -
> keyform der -pkcs > decrypted.bin
>       RSA operation error
>       140654247387584:error:0407008A:rsa
> routines:RSA_padding_check_PKCS1_type_1:invalid
> padding:../crypto/rsa/rsa_pk1.c:67:
>       140654247387584:error:04067072:rsa
> routines:rsa_ossl_public_decrypt:padding check
> failed:../crypto/rsa/rsa_ossl.c:582:
>
>       ..Same operation on a plain signature from tpm2_certifycreation works:
>
>
>       openssl rsautl -verify -inkey ../AIKOpaque.der -in
> ../IdBinding.EXTRACTED_TPMT_SIGNATURE -pubin -keyform der  >
> decrypted.bin
>
>       dumpasn1 decrypted.bin
>         0  33: SEQUENCE {
>         2   9:   SEQUENCE {
>         4   5:     OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
>        11   0:     NULL
>              :     }
>        13  20:   OCTET STRING 2D A1 D1 30 3A D2 FD 68 A1 5A 2F 9B 8B C1 1E DB
> 36 A7 7C D4
>              :   }
>
>
>       So. It looks like a bug in tpm2_certify.
>
>       tool="tpm2_certify" version="4.1" tctis="libtss2-tctildr" tcti-default=tcti-
> device
>       tpm2-tss 2.3.2-rc0
>
>       Regards,
>       Niklas
>
>