Closed timdesi closed 4 years ago
Weird, I thought the code was doing this: https://github.com/tpm2-software/tpm2-pkcs11/blob/master/tools/tpm2_pkcs11/commandlets_keys.py#L615
Private Key Object; EC
label: 1
ID: 66346464383136373931656438373765
Usage: decrypt, sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104e4c56746093806f7f6a914258210c6a33c4d6ddf32ca24167738a11ef6db5fb2b134bac411e4bcb501d9787c39564eb02211b1932f4aba4187b4e2ae322ab362
EC_PARAMS: 06082a8648ce3d030107
label: 1
ID: 66346464383136373931656438373765
Usage: encrypt, verify
Certificate Object; type = X.509 cert
label: 1
subject: DN: CN=my key
ID: 66346464383136373931656438373765
Im working on my local branch, perhaps I fixed this locally already.
Thx. for your quick response.
Looks like you fixed this at your local brunch.
I checked commandlets_keys.py from master brunch again but with same results.
Private Key Object; RSA label: key8 ID: 32323365623039383737633439653432 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: key8 ID: 32323365623039383737633439653432 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key8 subject: DN: CN=mykey8 ID: 6b657938
Private Key Object; EC label: key9 ID: 36396136643864346538343739383330 Usage: decrypt, sign Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104c127dea1f89b39e6cca43575579f03cc12ad7041b5bc3ca9ba6ecb42947d749019d77cbb735f0595e6324d268270291e708b268c05be5543a2e72742f140dd2d EC_PARAMS: 06082a8648ce3d030107 label: key9 ID: 36396136643864346538343739383330 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key9 subject: DN: CN=mykey8 ID: 6b657939
Should be fixed in: https://github.com/tpm2-software/tpm2-pkcs11/pull/344
I have rechecked with #344 looks partially fixed.
./tpm2_ptool addcert --label=token1 --key-id 32653133616331326666346565663533 rsa3cert.pem
Private Key Object; RSA
label: rsa3
ID: 32653133616331326666346565663533
Usage: decrypt, sign
Public Key Object; RSA 2048 bits
label: rsa3
ID: 32653133616331326666346565663533
Usage: encrypt, verify
Certificate Object; type = X.509 cert
label: rsa3
subject: DN: CN=rsa3
ID: 32653133616331326666346565663533
./tpm2_ptool addcert --label=token1 --key-label rsa2 rsa2cert.pem
Private Key Object; RSA
label: rsa2
ID: 30353863356632326334393032316363
Usage: decrypt, sign
Public Key Object; RSA 2048 bits
label: rsa2
ID: 30353863356632326334393032316363
Usage: encrypt, verify
Certificate Object; type = X.509 cert
label: 058c5f22c49021cc
subject: DN: CN=rsa2
ID: 30353863356632326334393032316363
This is done in https://github.com/tpm2-software/tpm2-pkcs11/pull/344:
pkcs11-tool --module /home/wcrobert/workspace/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so --login --label label --list-objects
Private Key Object; EC
label: 1
ID: 32363130613961366266306331613961
Usage: decrypt, sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104e4c56746093806f7f6a914258210c6a33c4d6ddf32ca24167738a11ef6db5fb2b134bac411e4bcb501d9787c39564eb02211b1932f4aba4187b4e2ae322ab362
EC_PARAMS: 06082a8648ce3d030107
label: 1
ID: 32363130613961366266306331613961
Usage: encrypt, verify
Certificate Object; type = X.509 cert
label: 2610a9a6bf0c1a9a
subject: DN: CN=my key
ID: 32363130613961366266306331613961
addcert function of tpm2_ptool adds cert with ID as its private key label. Sample output from pkcs11-tool.
Private Key Object; RSA label: key1 ID: 31 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: key1 ID: 31 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key1 subject: DN: CN=mykey ID: 6b657931
Java PKCS11 Security provider expects that cert ID is same with its private key. Please see below documentation.
Each private key object is matched with its corresponding certificate by retrieving their respective CKA_ID attributes. A matching pair must share the same unique CKA_ID. For each matching pair, the certificate chain is built by following the issuer->subject path. From the end entity certificate, a call to C_FindObjects[Init|Final] is made with a search template that includes the following attributes:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html
Simple trick with python script solves problem. I need to give key-label an int value that is same with its ID.
./tpm2_ptool addkey --id 7 --label test3 --algorithm rsa2048 --userpin myuserpin --key-label 7
Private Key Object; RSA label: 7 ID: 37 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: 7 ID: 37 Usage: encrypt, verify Certificate Object; type = X.509 cert label: 7 subject: DN: CN=mykey7 ID: 37
Sample output from java console application;
START KeyStore Type : PKCS11-TPM2 KeyStore Size : 3 Provider Name : SunPKCS11-TPM2 Provider Info : SunPKCS11-TPM2 using library /usr/lib64/pkcs11/libtpm2_pkcs11.so Provider Version : 13
-- Aliases --
Alias : 7 Entry : Private key entry and certificate chain with 1 elements: [ [ Version: V1 Subject: CN=mykey7 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits params: null modulus: 23901031961210502523612629058336379197003959181667919380001437926220090729279326007659875044504296076375789499356276600150344666532330045011015694212558311031506343287455133643551040514220220270505556956066903677126918943873865379859297443641173905150110138586037227120294442951504334931986410282946423822249414904180824665124974574558574353541450464268221196753615399268973312249439866901258540198162199626621631434213621632412290116831049565790715755782669645153716804948502566513547555849272202490012971334199648698135523856169589989613471510269907413054908837954814106895557945422846791825990459988143847426746367 public exponent: 65537 Validity: [From: Wed Dec 04 14:06:41 EET 2019, To: Thu Dec 03 14:06:41 EET 2020] Issuer: CN=mykey7 SerialNumber: [ e5c4eba0 ac7d6b66]
] Algorithm: [SHA256withRSA] Signature: 0000: 10 51 34 59 08 C0 E0 A9 C2 30 96 96 80 73 62 EB .Q4Y.....0...sb. 0010: 52 36 EA 30 94 AB D2 7C 34 F3 AE E9 98 1E 07 4B R6.0....4......K 0020: 04 42 71 EB AC 72 00 63 AC 85 AC 82 D4 85 58 26 .Bq..r.c......X& 0030: 67 00 A0 16 87 D6 29 D0 2A 29 39 D2 CA 5A F2 E7 g.....).)9..Z.. 0040: 98 94 64 98 BD 56 18 9F F1 D8 20 74 FF A5 04 7E ..d..V.... t.... 0050: 1B 82 BA EB AD 5E E3 0F 84 E6 B4 D9 92 7C C5 2A .....^......... 0060: 71 EC E6 33 70 55 B7 34 C8 4E 16 E2 56 B2 26 33 q..3pU.4.N..V.&3 0070: C2 A9 7E 0D B7 64 83 66 1D 62 22 97 07 3F 35 72 .....d.f.b"..?5r 0080: B3 7C 7E 5C 47 37 45 3A 58 C8 A5 10 47 B6 61 5F ...\G7E:X...G.a_ 0090: 4F 24 B8 97 75 C9 1C 0E E4 1A 04 B0 97 E2 A2 38 O$..u..........8 00A0: 60 C3 E0 26 56 BC 2E F4 65 3D FC 20 FA 8B E6 A8
..&V...e=. .... 00B0: 60 69 30 EC 1C 4E A4 BD 6A B7 C4 3C 4E 65 16 13
i0..N..j..<Ne.. 00C0: A6 52 03 CC FA 36 36 0C BD 3D 3F 4D 35 A9 03 D5 .R...66..=?M5... 00D0: 07 3D F4 A4 56 C1 3C 16 C6 75 42 94 38 DE E5 6E .=..V.<..uB.8..n 00E0: 44 8D 69 B2 C1 8F 2B 16 B6 40 20 98 E8 11 5A E7 D.i...+..@ ...Z. 00F0: 60 EB 7B AF 33 58 A4 C8 C1 E8 40 32 D4 E4 94 F1 `...3X....@2....]