Unable to generate new CSR

[nestorsamelo]

I was unable to generate a new Certificate Signing Request using the provider with OpenSSL 3.0.0-beta2:

# tpm2tss-genkey -a rsa privkey.pem
# openssl req -new -nodes -provider tpm2 -key privkey.pem -out csr_prov.pem -subj '/CN=mydomain.net/'
-----
4040988DF87F0000:error:020000B3:rsa routines:rsa_ossl_private_encrypt:missing private key:../openssl-3.0.0-beta2/crypto/rsa/rsa_ossl.c:329:
4040988DF87F0000:error:1C880004:Provider routines:rsa_sign:RSA lib:../openssl-3.0.0-beta2/providers/implementations/signature/rsa_sig.c:580:
4040988DF87F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../openssl-3.0.0-beta2/crypto/asn1/a_sign.c:284:
#

However, the analogous engine-based command works:

# tpm2tss-genkey -a rsa privkey2.pem
# openssl req -new -nodes -engine libtpm2tss -keyform engine -key privkey2.pem -out csr_eng.pem -subj '/CN=mydomain.net/'
Engine "tpm2tss" set.
-----
# cat csr_eng.pem 
-----BEGIN CERTIFICATE REQUEST-----
MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMbXlkb21haW4ubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmYdHBpxid1aO1hBeE6JNRsMdP9V5NBRCQZup
qy1l0gGiuh3groNfDQNBle5cibsnfRdHeDmSYgcv86L/TLwx3/xPyYpQ6OjEjRwu
qcwbBt60pEpbWeXD7CeVtALsyXUys0/lN3IX/d4iEpjVT0kSQtv9DJFmX7cskaCI
H88NLeVhcPVtu2NcmqGOV94W9x1IeVfUx8nSxI6qodiQQZPgz829t7/X9vq5MLlT
D/Ke207/hW93bCcYFsR2ExPP0p2oVho0IZyVhBJAA7Hfo+798UUDn66B4ztFUQH1
JRGlKCIKBzgO/aqQ7K8G3Pv1zrY/NfEdn4HB/p1LvLgEboylIwIDAQABoAAwDQYJ
KoZIhvcNAQELBQADggEBAGV+GNokDBCqbkc3VNsBH3bt3T57rqK/feywgJCmlcI+
tbqb6jgGOOV2sJyJZhwEo8mPVkbpj9NwLExIUqIWA1qmer80XgCmR0q2+ZydS1qt
gEZr/zwrF/5UgTQTtXPMRS853EYeIXzu5OJoyXeNxMxgrRsNUZL/LFY1TpWu5lfB
lhjBVHARBa9EA4r5zRk1lbCGQ1FM2kTiZ18hYXaWrhvNQBoY+HmcaXPURb6qvfa+
0o4G4lbvdYm3fjB1/LBl2f9PH8s+tTEiVuLE5kZV7DpPRRzhRYNzAy3xtBTB8xPb
BeKwVUnPW05iWRZPSr+qaWYaZHRYH4pvzb6s/Srfifo=
-----END CERTIFICATE REQUEST-----
#

[gotthardp]

I was able to generate the CSR using tpm2-openssl and the tpm2-tss-engine's private key. You are likely using some older combination of openssl, tpm2-tss and tpm2-openssl. For example, the tpm2-openssl now requires -provider default to load a certificate from a file.

However, I found another bug that prevents a correct usage of the tpm2-tss library with tpm2-openssl and openssl 3.0. I will fix that first and then come back to you.

[gotthardp]

@nestorsamelo could you please try your test again, using the master branch of openssl, tpm2-tss and tpm2-openssl? There have been multiple fixes in all of them.

[nestorsamelo]

@gotthardp I was not able to verify this using openssl 3.0.0 (released on Sep 7), tpm2-tss (commit ec58f0a43931b18de9c3c5e0cd884892c218041a), and tpm2-openssl (commit d2499aa763da01fcdae37f6c70fcab52f33c2fc4).

# tpm2tss-genkey -a rsa privkey.pem
# openssl req -new -nodes -provider tpm2 -key privkey.pem -out csr_prov.pem -subj '/CN=mydomain.net/'
4060A7A1197F0000:error:020000B3:rsa routines:rsa_ossl_private_encrypt:missing private key:../openssl-3.0.0/crypto/rsa/rsa_ossl.c:329:
4060A7A1197F0000:error:1C880004:Provider routines:rsa_sign:RSA lib:../openssl-3.0.0/providers/implementations/signature/rsa_sig.c:580:
4060A7A1197F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../openssl-3.0.0/crypto/asn1/a_sign.c:284:

I must be missing something. Perhaps I need to get tpm2-tools and tpm2-abrmd from master as well? I will try that later.

Thank you.

[gotthardp]

could you add -provider default, please?

# tpm2tss-genkey -a rsa privkey.pem
# openssl req -new -nodes -provider tpm2 -provider default -key privkey.pem -out csr_prov.pem -subj '/CN=mydomain.net/'

[nestorsamelo]

I got essentially the same:

# tpm2tss-genkey -a rsa privkey.pem
# openssl req -new -nodes -provider tpm2 -provider default -key privkey.pem -out csr_prov.pem -subj '/CN=mydomain.net/'
4080A7770F7F0000:error:020000B3:rsa routines:rsa_ossl_private_encrypt:missing private key:../openssl-3.0.0/crypto/rsa/rsa_ossl.c:329:
4080A7770F7F0000:error:1C880004:Provider routines:rsa_sign:RSA lib:../openssl-3.0.0/providers/implementations/signature/rsa_sig.c:580:
4080A7770F7F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../openssl-3.0.0/crypto/asn1/a_sign.c:284:

I haven't tried openssl from master instead of 3.0.0.

[gotthardp]

There must be something wrong with the way the libraries are built. It's also surprising you are not getting any human-friendly error. Could you please let me know:

1) What gets printed when you do openssl list -providers -provider tpm2 -provider default 2) What ./Configure arguments you used to build openssl

[nestorsamelo]

@gotthardp

Here is the information you requested.

# openssl list -providers -provider tpm2 -provider default
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.0
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.0
    status: active
  tpm2
    name: TPM 2.0 Provider
    version: 1.0.0-rc0
    status: active

./Configure disable-devcryptoeng enable-fips enable-acvp-tests no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 --prefix=/usr --openssldir=/usr/lib/ssl-3 --libdir=/usr/lib linux-x86_64

[gotthardp]

@nestorsamelo, I still cannot reproduce this.

There is one more thing that could be different: your openssl configuration. (You have the legacy provider loaded although you didn't load it from the command line. That's weird.)

Please have a look at the openssl.cnf file in openssl info -configdir. Did you make some changes to it?

[nestorsamelo]

@gotthardp

After I updated tpm2-tools to version 5.2, I was able to generate the CSR as you described.

# tpm2tss-genkey -a rsa privkey.pem
# openssl req -new -nodes -provider tpm2 -provider default -key privkey.pem -out csr_prov.pem -subj '/CN=mydomain.net/'

Thank you very much.

[gotthardp]

Great, thanks for all the testing!