search

tpm2-software / tpm2-openssl

OpenSSL Provider for TPM2 integration
BSD 3-Clause "New" or "Revised" License
82 stars 36 forks source link

Unable to create csr with OpenSSL 3 #82

Closed CO-lhageman closed 10 months ago

CO-lhageman commented 1 year ago

I am running Debian 12 with OpenSSL 3.0.9-1 and tpm2-openssl 1.1.1-1.

I want to create a CSR with a key stored on the TPM2 Module but am failing at doing so. These are the steps I take:

  1. Setting the SO Pin pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --init-token --label eaptls --so-pin "${SO_PIN}"

  2. Setting the User Pin pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --login --init-pin --so-pin "${SO_PIN}" --pin "${userpin}"

  3. Generate a Keypair pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --login --keypairgen --label eaptls --pin "${userpin}"

  4. Grab my Token URL p11tool --list-tokens | grep "Label: ${TPMTOKENLABEL}" -B 1 | grep 'URL: pkcs11:' | sed 's/^[[:space:]]*URL: //' results in something like pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls

  5. Create my OpenSSL Config File for the request:

    openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
init = 0
engine_id = pkcs11
MODULE_PATH = /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1
[req]
distinguished_name = req_distinguished_name
promt = no
[req_distinguished_name]
C = DE
ST = Somestate
L = Somecity
O = Someorg
OU = Someunit
CN = somecn

  6. Invoke OpenSSL to (try to) create a csr openssl req -new -provider tpm2 -provider default -config /tmp/openssl.conf -engine pkcs11 -keyform engine -key "pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls" -out -

The last step fails with the following output:

Engine "pkcs11" set.
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:754:iesys_cryptossl_pk_encrypt() ErrorCode (0x00070001) Could not create rsa key. 
ERROR:esys:src/tss2-esys/esys_iutil.c:521:iesys_compute_encrypted_salt() During encryption. ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:226:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:113:Esys_StartAuthSession() Error in async function ErrorCode (0x00070001) 
ERROR: Esys_StartAuthSession: esapi:Catch all for all errors not otherwise specified
ERROR: Could not start Auth Session with the TPM.
ERROR: Error unsealing wrapping key
Login failed
Login to token failed, returning NULL...
The private key was not found at: pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls
809B512C5A7F0000:error:03000096:digital envelope routines:fromdata_init:operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
809B512C5A7F0000:error:42000005:PKCS#11 module:ERR_CKR_error:General Error:p11_slot.c:208:
809B512C5A7F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:

The tpm2 provider can be loaded:

~# openssl list -providers -provider tpm2
Providers:
  tpm2
    name: TPM 2.0 Provider
    version: 1.1.1
    status: active

PKCS11 Engine is also available 

~# openssl engine pkcs11 -t
(pkcs11) pkcs11 engine
     [ available ]

I am able to do a test sign with the key:

~# p11tool --login --test-sign "pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls;object=eaptls;type=private"
Token 'eaptls' with URL 'pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls' requires user PIN
Enter PIN: 
Signing using RSA-SHA256... ok
Verifying against private key parameters... ok
Verifying against public key in the token... ok

I wasn't too sure what the correct URL to specify is when working with OpenSSL, I tried experimenting with adding the object= and type= parameters, but did not get other results from it. How should the URL look?

What I did find was this bug report https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1983665 which has the exact same output as me but he managed to solve it with installing the tpm2 provider - I already have that installed and I specify it in the openssl command so I am a bit at a loss here.

tanginik commented 10 months ago

I am also facing same issue while generating CSR with openssl 3.X and tpm2

Can you please provide the steps for the same?

gotthardp commented 10 months ago

@tanginik , could you please open a new issue and describe there what exactly is your setup?

gotthardp commented 10 months ago

This is related to tpm2-pkcs11 and https://github.com/tpm2-software/tpm2-pkcs11/issues/766. A detailed explanation is then here: https://github.com/tpm2-software/tpm2-pkcs11/issues/766#issuecomment-1287210367