Closed Firstyear closed 1 year ago
Firstyear
commented
1 year ago PS: the goal of this would be to demonstrate and create sample repos of tpm2-openssl integration for developers. I would also appreciate your advice on how to proceed to debug this and gather data on the tpm and it's configuration to create a developer/debug guide for this project.
gotthardp
commented
1 year ago This is a TPM2 error. The documentation says the TPM_RC_AUTH_UNAVAILABLE occurs when the key is not loaded properly: The public and sensitive portions of the object shall be present on the TPM (TPM_RC_AUTH_UNAVAILABLE).
Firstyear
commented
1 year ago Thanks @gotthardp - from the code though, I have loaded the provider and then generated the EC key within that provider context. So from my view it would seem as though I did generate the key in the TPM. Clearly though I'm missing something here about the correct way to handle the key within the TPM context. Are there code examples (not openssl cli) of what I'm trying to achieve here that I could reference?
Firstyear
commented
1 year ago I'm still having this issue @gotthardp - I must be missing something:
fn do_main() {
std::mem::forget(Provider::load(None, "tpm2").unwrap());
let ecgroup = get_group();
let eckey = ec::EcKey::generate(&ecgroup).unwrap();
let priv_key = pkey::PKey::from_ec_key(eckey).unwrap();
let mut priv_ctx = openssl::pkey_ctx::PkeyCtx::new(&priv_key)
.unwrap();
priv_ctx.sign_init().unwrap();
let max_len = priv_ctx.sign(&[], None).unwrap();
let mut sig = (0..max_len).map(|_| 0).collect::<Vec<u8>>();
let data = [0,0,0,0];
let digest = hash::hash(hash::MessageDigest::sha256(), &data)
.unwrap();
error!(?digest);
priv_ctx.sign_init().unwrap();
let e = priv_ctx.sign(&digest, Some(sig.as_mut_slice()));
error!(?e);
}
I have simplified just to an ecdsa signature, and these methods all use the EVP_ calls that the tpm2-library advertises as supported. But I still get: { code: 1073741839, library: "tpm2", function: "", reason: "cannot sign", file: "", line: 4294967295, data: "303 tpm:error(2.0): authValue or authPolicy is not available for selected entity" }
I have tried to read the docs and the source code, but it's not really helping - it appears all the tests are command line tests too.
Is it possible to add examples in C to this repository that show at least how the EVP calls should be handled and worked with? Because currently even without that I don't have a reference to understand what I could be holding wrong here.
Firstyear
commented
1 year ago Okay I have resolved this. The trick is that you need to do the key gen with a different api. The working code is:
// IMPORTANT need to use pkey here!
let ca_key = pkey::PKey::ec_gen("P-256").unwrap();
let mut x509_name = X509NameBuilder::new()?;
x509_name.append_entry_by_text("C", "AU")?;
x509_name.append_entry_by_text("ST", "QLD")?;
x509_name.append_entry_by_text("O", "Webauthn Authenticator RS")?;
x509_name.append_entry_by_text("CN", "Dynamic Softtoken CA")?;
let x509_name = x509_name.build();
let mut cert_builder = X509::builder()?;
// Yes, 2 actually means 3 here ...
cert_builder.set_version(2)?;
let serial_number = bn::BigNum::from_u32(1).and_then(|serial| serial.to_asn1_integer())?;
cert_builder.set_serial_number(&serial_number)?;
cert_builder.set_subject_name(&x509_name)?;
cert_builder.set_issuer_name(&x509_name)?;
let not_before = asn1::Asn1Time::days_from_now(0)?;
cert_builder.set_not_before(¬_before)?;
let not_after = asn1::Asn1Time::days_from_now(1)?;
cert_builder.set_not_after(¬_after)?;
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
cert_builder.append_extension(
KeyUsage::new()
.critical()
.key_cert_sign()
.crl_sign()
.build()?,
)?;
let subject_key_identifier =
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
cert_builder.append_extension(subject_key_identifier)?;
cert_builder.set_pubkey(&ca_key)?;
trace!(?ca_key);
// TPM2_RC_AUTH_UNAVAILABLE occurs here
cert_builder.sign(&ca_key, hash::MessageDigest::sha256())?;
let ca_cert = cert_builder.build();
Ok((ca_key, ca_cert))
Hi there,
I am testing some tpm2-openssl code to act as a minimal certificate authority. The goal was to store the ca key in a tpm.
However, when attempting to create the self signed ca, I receive the error:
I have tried to search though this repo and this organisation for the relevant code that could be related, as well as the openssl source for what is occurring at this point.
tpm2-openssl was built with both digest and ciphers available.
The related code is in rust so I will annotate some parts:
Any suggestions on what is occurring here would be welcome.