* [tpm2] Re: [External] : Re: Re: does -p (password) work with tpm2_import ?
@ 2021-04-26 22:40 Ted Kim
0 siblings, 0 replies; 2+ messages in thread
From: Ted Kim @ 2021-04-26 22:40 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3813 bytes --]
Hi William,
I am using tpm2-tools-4.3 (tpm2-tss-3.0.1).
I don't know if this would make any difference, but my tpm2_import
situation is somewhat different. I am taking in something created from
tpm2_duplicate using a policy constructed with tpm2_policyduplicationselect.
It does seem I can workaround this by using tpm2_changeauth to add the
password. But for whatever reason when I put -p directly in the
tpm2_import, it does not seem to take.
Thanks,
-ted
On 4/26/21 10:40 AM, Roberts, William C wrote:
> Seems to work for me, what version of the tools are you using?
>
> I modified the test and it seems to work as expected (if I drop the
> password in tpm2 sign it fails)
>
> git diff
> diff --git a/test/integration/tests/import.sh
> b/test/integration/tests/import.sh
> index ff8f9b3b96eb..d22cdb41a73b 100644
> --- a/test/integration/tests/import.sh
> +++ b/test/integration/tests/import.sh
> @@ -117,13 +117,13 @@ run_ecc_import_test() {
> shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r
> -c 32 > \
> data.in.digest
> - tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u
> ecc.pub \
> + tpm2 import -Q -G ecc -g "$name_alg" -p password -i
> private.ecc.pem -C $1 -u ecc.pub \
> -r ecc.priv
> tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
> # Sign in the TPM and verify with OSSL
> - tpm2 sign -Q -c ecc.ctx -g sha256 -d -f plain -o data.out.signed \
> + tpm2 sign -Q -c ecc.ctx -p password -g sha256 -d -f plain -o
> data.out.signed \
> data.in.digest
> openssl dgst -verify public.ecc.pem -keyform pem -sha256 \
> -signature data.out.signed data.in.raw
>
> ------------------------------------------------------------------------
> *From:* Ted Kim <ted.h.kim(a)oracle.com>
> *Sent:* Monday, April 19, 2021 4:24 PM
> *To:* tpm2(a)lists.01.org <tpm2(a)lists.01.org>
> *Subject:* [tpm2] Re: does -p (password) work with tpm2_import ?
>
> On 4/16/21 11:28 AM, Ted Kim wrote:
> > Folks,
> >
> > I tried tpm2_import with the -p option with a password, and it doesn't
> > seem to work for me.
> >
> > Subsequent tpm2_rsadecrypt commands using the key from the import seem
> > to work fine without any -p option.
> >
> > * Does import work with -p ? Is there something I have overlooked in
> > this?
>
> Further, if you actually supply the correct password to tpm2_rsadecrypt
> command with the -p option, you get an auth error:
>
> WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
>
> Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
> Esys Finish ErrorCode (0x0000098e)
> ERROR: Esys_RSA_Decrypt(0x98E) - tpm:session(1):the authorization HMAC
> check failed and DA counter incremented
> ERROR: Unable to run tpm2_rsadecrypt
>
>
> Trying this same sequence with a key created with tpm2_create works
> fine, so am thinking there is something wrong with tpm2_import not
> processing the -p properly.
>
> Can the maintainers look into this?
>
> Thanks,
> -ted
>
>
>
> >
> >
> >
> > I understand that tpm2_rsaencrypt does not take the -p option in line
> > with the idea of using a "public" key.
> >
> > * Is it correct to say that if I want to have authorization on
> > encryption, I have to use tpm2_encryptdecrypt (i.e. use symmetric
> keys) ?
> >
> >
> >
> > Thanks,
> >
> > -ted
> >
> >
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 7562 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [tpm2] Re: [External] : Re: Re: does -p (password) work with tpm2_import ?
@ 2021-04-27 21:18 Roberts, William C
0 siblings, 0 replies; 2+ messages in thread
From: Roberts, William C @ 2021-04-27 21:18 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4614 bytes --]
TL;DR
So, what you want to do doesn't work. The tool should balk on -p and import from TPM objects.
When you import from a TPM object, you're importing from a TPM2B_PRIVATE, which is opaque to us. Thus
we cannot modify it to change it. You can only change the TPM object at creation time, when you have the
clear text TPM2B_SENSITIVE or through certain APIs like tpm2_changeauth.
However, when importing from an openssl key, we create the object from a TPM2B_SENSITIVE and perform the
parent key wrapping work of the TPM and thus generate the TPM2B_PRIVATE. Thus we can modify it.
________________________________
From: Ted Kim <ted.h.kim(a)oracle.com>
Sent: Monday, April 26, 2021 5:40 PM
To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: Re: [External] : Re: [tpm2] Re: does -p (password) work with tpm2_import ?
Hi William,
I am using tpm2-tools-4.3 (tpm2-tss-3.0.1).
I don't know if this would make any difference, but my tpm2_import situation is somewhat different. I am taking in something created from tpm2_duplicate using a policy constructed with tpm2_policyduplicationselect.
It does seem I can workaround this by using tpm2_changeauth to add the password. But for whatever reason when I put -p directly in the tpm2_import, it does not seem to take.
Thanks,
-ted
On 4/26/21 10:40 AM, Roberts, William C wrote:
Seems to work for me, what version of the tools are you using?
I modified the test and it seems to work as expected (if I drop the password in tpm2 sign it fails)
git diff
diff --git a/test/integration/tests/import.sh b/test/integration/tests/import.sh
index ff8f9b3b96eb..d22cdb41a73b 100644
--- a/test/integration/tests/import.sh
+++ b/test/integration/tests/import.sh
@@ -117,13 +117,13 @@ run_ecc_import_test() {
shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
data.in.digest
- tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
+ tpm2 import -Q -G ecc -g "$name_alg" -p password -i private.ecc.pem -C $1 -u ecc.pub \
-r ecc.priv
tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
# Sign in the TPM and verify with OSSL
- tpm2 sign -Q -c ecc.ctx -g sha256 -d -f plain -o data.out.signed \
+ tpm2 sign -Q -c ecc.ctx -p password -g sha256 -d -f plain -o data.out.signed \
data.in.digest
openssl dgst -verify public.ecc.pem -keyform pem -sha256 \
-signature data.out.signed data.in.raw
________________________________
From: Ted Kim <ted.h.kim(a)oracle.com><mailto:ted.h.kim(a)oracle.com>
Sent: Monday, April 19, 2021 4:24 PM
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org> <tpm2(a)lists.01.org><mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Re: does -p (password) work with tpm2_import ?
On 4/16/21 11:28 AM, Ted Kim wrote:
> Folks,
>
> I tried tpm2_import with the -p option with a password, and it doesn't
> seem to work for me.
>
> Subsequent tpm2_rsadecrypt commands using the key from the import seem
> to work fine without any -p option.
>
> * Does import work with -p ? Is there something I have overlooked in
> this?
Further, if you actually supply the correct password to tpm2_rsadecrypt
command with the -p option, you get an auth error:
WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_RSA_Decrypt(0x98E) - tpm:session(1):the authorization HMAC
check failed and DA counter incremented
ERROR: Unable to run tpm2_rsadecrypt
Trying this same sequence with a key created with tpm2_create works
fine, so am thinking there is something wrong with tpm2_import not
processing the -p properly.
Can the maintainers look into this?
Thanks,
-ted
>
>
>
> I understand that tpm2_rsaencrypt does not take the -p option in line
> with the idea of using a "public" key.
>
> * Is it correct to say that if I want to have authorization on
> encryption, I have to use tpm2_encryptdecrypt (i.e. use symmetric keys) ?
>
>
>
> Thanks,
>
> -ted
>
>
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com<mailto:ted.h.kim(a)oracle.com>
+1 310-258-7515
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 8503 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-27 21:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-26 22:40 [tpm2] Re: [External] : Re: Re: does -p (password) work with tpm2_import ? Ted Kim
2021-04-27 21:18 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.