All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Woodhouse <dwmw2 at infradead.org>
To: tpm2@lists.01.org
Subject: Re: [tpm2] Conflicting TPM2 engines and storage formats
Date: Tue, 02 Oct 2018 19:58:11 +0100	[thread overview]
Message-ID: <d338f832ccf2452e1b26d6fcb6b44c42b9ccc880.camel@infradead.org> (raw)
In-Reply-To: 1538502026.14607.12.camel@HansenPartnership.com

[-- Attachment #1: Type: text/plain, Size: 5166 bytes --]

OK.. I think this makes a difference:


--- a/src/tpm2-tss-engine-common.h
+++ b/src/tpm2-tss-engine-common.h
@@ -55,8 +55,7 @@ TSS2_RC init_tpm_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
         .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | \
                              TPMA_OBJECT_RESTRICTED | \
                              TPMA_OBJECT_DECRYPT | \
-                             TPMA_OBJECT_FIXEDTPM | \
-                             TPMA_OBJECT_FIXEDPARENT | \
+                             TPMA_OBJECT_NODA | \
                              TPMA_OBJECT_SENSITIVEDATAORIGIN), \
         .authPolicy = { \
              .size = 0, \


Now, I have two PEM files, one 'machine.tss' created with James's tpm2
engine, and a second 'tpm2-engine.tss' which is converted manually as
described in issue #11 to be used with the tpm2tss engine.


$ openssl rsautl -sign -engine tpm2tss -inkey tpm2-engine.tss -keyform engine < testfile > testsig.tpm2tss
$ openssl rsautl -sign -engine tpm2 -inkey machine.tss -keyform engine < testfile > testsig.tpm2
$ sha1sum testsig.tpm*
fb9e8c1f4a1872f4144fd760af1740af75a9a8b2  testsig.tpm2
fb9e8c1f4a1872f4144fd760af1740af75a9a8b2  testsig.tpm2tss

So... that now *is* working for signing. However, while the
corresponding 'rsautl -verify' works fine with James's tpm2 engine, it
fails with tpm2tss:

$ openssl rsautl -verify -engine tpm2tss -inkey ../openssl_tpm2_engine/tpm2-engine.tss -keyform engine -in testsig.tpm2tss
Initializing
engine "tpm2tss" set.
Loading private key ../openssl_tpm2_engine/tpm2-engine.tss
get_auth called for object user key with ui_method 0x55ced253fdc0
Enter password for user key:
password is 
Loaded key uses alg-id 1
Creating RSA key object.
Created RSA key object.
TPM2 Key loaded
RSA operation error
140407559393728:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:../crypto/rsa/rsa_pk1.c:75:
140407559393728:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:586:


So... is it the public key that I've misconverted somehow?

 $ openssl asn1parse -in machine.tss 
    0:d=0  hl=4 l= 503 cons: SEQUENCE          
    4:d=1  hl=2 l=   5 prim: OBJECT            :2.23.133.10.2
   11:d=1  hl=2 l=   3 cons: cont [ 0 ]        
   13:d=2  hl=2 l=   1 prim: BOOLEAN           :1
   16:d=1  hl=2 l=   6 cons: cont [ 1 ]        
   18:d=2  hl=2 l=   4 prim: INTEGER           :40000001
   24:d=1  hl=4 l= 284 cons: cont [ 2 ]        
   28:d=2  hl=4 l= 280 prim: OCTET STRING      [HEX DUMP]:01160001000B000204400000001000100800000000000100C696B23A22C1516E22352CD1309A48BD7E6F054EE10BB7265BFC3BC85B622E75B658A03E15BB74CD9C542C4CEA22337467913058B3711E6EF6CB4C8DA9B496E5888346B058426D645398613BF9BCE907947E63B5B4CD4ABA1FFC2EA396BEC0A7F3F1FEDF022966CED43C070B2000BEEEE7BB82375A4E1C1558E7FC7139DCEE9C6055C3332D50572E14A0747B907440598C93B77F356689EE71ACDAECA9C1FF33C74106CD8C23ACA4613F4D234A4C10A1D7AA3E469493A541838D40A065B17FD23F7D75A5F9BD29F59566BB7D450E970269FD90F914FFF0CE44D526D4914C32F35AD9A2C6BAF7F77BAAA0B4B77F80C29C683764BAFADEAFC397D344DB2ABF996D
  312:d=1  hl=3 l= 192 prim: OCTET STRING      [HEX DUMP]:00BE00204463515A27FC3B773B53F28C04C147D78991B02E7B2FAFE0E96FA11E79692FCA0010DE02ADCCECCADBA51D1C71283A37FFD608D0979B994054031FF7475505EBC0D45CB6808A93D83C64051CA06043721D55D8FE514BDD997CB8B26199B62D2E8517C1DE5293AC6ED97EF278F648B072855B73B2D32CB2B39315FA40FA6AAF618038D6F880465083A1140DF9792448F6D888C912A797EE943912E0EC78B9576748822580ABECE5D02B973DAF1C0F7CE15DC56D3BB15E9AE7FADDB7C2

 $ tail -8 tpm2-engine.tss | openssl asn1parse
    0:d=0  hl=4 l= 280 prim: OCTET STRING      [HEX DUMP]:01160001000B000204400000001000100800000000000100C696B23A22C1516E22352CD1309A48BD7E6F054EE10BB7265BFC3BC85B622E75B658A03E15BB74CD9C542C4CEA22337467913058B3711E6EF6CB4C8DA9B496E5888346B058426D645398613BF9BCE907947E63B5B4CD4ABA1FFC2EA396BEC0A7F3F1FEDF022966CED43C070B2000BEEEE7BB82375A4E1C1558E7FC7139DCEE9C6055C3332D50572E14A0747B907440598C93B77F356689EE71ACDAECA9C1FF33C74106CD8C23ACA4613F4D234A4C10A1D7AA3E469493A541838D40A065B17FD23F7D75A5F9BD29F59566BB7D450E970269FD90F914FFF0CE44D526D4914C32F35AD9A2C6BAF7F77BAAA0B4B77F80C29C683764BAFADEAFC397D344DB2ABF996D


I note that 'tpm2tss-genkey' stopped working with the change I made at
the beginning of this mail. I confess I haven't even looked up what any
of those flags mean...

$ ./tpm2tss-genkey  new.tss
Initializing
Setting owner auth to empty auth.
Generating RSA key for 2048 bits keysize.
Establishing connection with TPM.
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so 
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so 
Creating primary key under owner.
Generating the RSA key inside the TPM.
WARNING:esys:src/tss2-esys/api/Esys_Create.c:411:Esys_Create_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Create.c:155:Esys_Create() Esys Finish ErrorCode (0x000002c2) 
Error: Generating key failed
Key could not be generated.


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]

             reply	other threads:[~2018-10-02 18:58 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-02 18:58 David Woodhouse [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-10-12 15:54 [tpm2] Conflicting TPM2 engines and storage formats Fuchs, Andreas
2018-10-12 15:19 David Woodhouse
2018-10-12  9:16 Fuchs, Andreas
2018-10-12  6:08 David Woodhouse
2018-10-12  5:55 David Woodhouse
2018-10-11 22:25 David Woodhouse
2018-10-11 20:15 David Woodhouse
2018-10-11 18:48 David Woodhouse
2018-10-11 18:40 David Woodhouse
2018-10-11 18:31 David Woodhouse
2018-10-11 18:07 David Woodhouse
2018-10-11 17:34 David Woodhouse
2018-10-11 15:41 Fuchs, Andreas
2018-10-08 10:15 David Woodhouse
2018-10-05 15:46 David Woodhouse
2018-10-05 15:34 Fuchs, Andreas
2018-10-05 15:31 David Woodhouse
2018-10-05 15:24 Fuchs, Andreas
2018-10-05 15:22 Fuchs, Andreas
2018-10-05 14:59 David Woodhouse
2018-10-05 14:36 Fuchs, Andreas
2018-10-05 11:59 David Woodhouse
2018-10-05 10:27 David Woodhouse
2018-10-05 10:19 Fuchs, Andreas
2018-10-05  9:44 Fuchs, Andreas
2018-10-04 16:17 David Woodhouse
2018-10-04 16:04 Fuchs, Andreas
2018-10-04 10:58 Roberts, William C
2018-10-03 20:47 David Woodhouse
2018-10-03 11:06 David Woodhouse
2018-10-03 10:47 David Woodhouse
2018-10-03 10:35 David Woodhouse
2018-10-02 17:21 Fuchs, Andreas
2018-10-02 17:18 Fuchs, Andreas
2018-10-02 16:38 David Woodhouse
2018-10-02 16:20 Fuchs, Andreas
2018-10-01 20:10 David Woodhouse

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d338f832ccf2452e1b26d6fcb6b44c42b9ccc880.camel@infradead.org \
    --to=tpm2@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.