search

tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
271 stars 107 forks source link

Could you add CKA_ID to cert that is same with its private key #340

Closed timdesi closed 4 years ago

timdesi commented 4 years ago

addcert function of tpm2_ptool adds cert with ID as its private key label. Sample output from pkcs11-tool.

Private Key Object; RSA label: key1 ID: 31 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: key1 ID: 31 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key1 subject: DN: CN=mykey ID: 6b657931

Java PKCS11 Security provider expects that cert ID is same with its private key. Please see below documentation.

Each private key object is matched with its corresponding certificate by retrieving their respective CKA_ID attributes. A matching pair must share the same unique CKA_ID. For each matching pair, the certificate chain is built by following the issuer->subject path. From the end entity certificate, a call to C_FindObjects[Init|Final] is made with a search template that includes the following attributes:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html

Simple trick with python script solves problem. I need to give key-label an int value that is same with its ID.

./tpm2_ptool addkey --id 7 --label test3 --algorithm rsa2048 --userpin myuserpin --key-label 7

Private Key Object; RSA label: 7 ID: 37 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: 7 ID: 37 Usage: encrypt, verify Certificate Object; type = X.509 cert label: 7 subject: DN: CN=mykey7 ID: 37

Sample output from java console application;

START KeyStore Type : PKCS11-TPM2 KeyStore Size : 3 Provider Name : SunPKCS11-TPM2 Provider Info : SunPKCS11-TPM2 using library /usr/lib64/pkcs11/libtpm2_pkcs11.so Provider Version : 13

-- Aliases --

Alias : 7 Entry : Private key entry and certificate chain with 1 elements: [ [ Version: V1 Subject: CN=mykey7 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits params: null modulus: 23901031961210502523612629058336379197003959181667919380001437926220090729279326007659875044504296076375789499356276600150344666532330045011015694212558311031506343287455133643551040514220220270505556956066903677126918943873865379859297443641173905150110138586037227120294442951504334931986410282946423822249414904180824665124974574558574353541450464268221196753615399268973312249439866901258540198162199626621631434213621632412290116831049565790715755782669645153716804948502566513547555849272202490012971334199648698135523856169589989613471510269907413054908837954814106895557945422846791825990459988143847426746367 public exponent: 65537 Validity: [From: Wed Dec 04 14:06:41 EET 2019, To: Thu Dec 03 14:06:41 EET 2020] Issuer: CN=mykey7 SerialNumber: [ e5c4eba0 ac7d6b66]

] Algorithm: [SHA256withRSA] Signature: 0000: 10 51 34 59 08 C0 E0 A9 C2 30 96 96 80 73 62 EB .Q4Y.....0...sb. 0010: 52 36 EA 30 94 AB D2 7C 34 F3 AE E9 98 1E 07 4B R6.0....4......K 0020: 04 42 71 EB AC 72 00 63 AC 85 AC 82 D4 85 58 26 .Bq..r.c......X& 0030: 67 00 A0 16 87 D6 29 D0 2A 29 39 D2 CA 5A F2 E7 g.....).)9..Z.. 0040: 98 94 64 98 BD 56 18 9F F1 D8 20 74 FF A5 04 7E ..d..V.... t.... 0050: 1B 82 BA EB AD 5E E3 0F 84 E6 B4 D9 92 7C C5 2A .....^......... 0060: 71 EC E6 33 70 55 B7 34 C8 4E 16 E2 56 B2 26 33 q..3pU.4.N..V.&3 0070: C2 A9 7E 0D B7 64 83 66 1D 62 22 97 07 3F 35 72 .....d.f.b"..?5r 0080: B3 7C 7E 5C 47 37 45 3A 58 C8 A5 10 47 B6 61 5F ...\G7E:X...G.a_ 0090: 4F 24 B8 97 75 C9 1C 0E E4 1A 04 B0 97 E2 A2 38 O$..u..........8 00A0: 60 C3 E0 26 56 BC 2E F4 65 3D FC 20 FA 8B E6 A8 ..&V...e=. .... 00B0: 60 69 30 EC 1C 4E A4 BD 6A B7 C4 3C 4E 65 16 13i0..N..j..<Ne.. 00C0: A6 52 03 CC FA 36 36 0C BD 3D 3F 4D 35 A9 03 D5 .R...66..=?M5... 00D0: 07 3D F4 A4 56 C1 3C 16 C6 75 42 94 38 DE E5 6E .=..V.<..uB.8..n 00E0: 44 8D 69 B2 C1 8F 2B 16 B6 40 20 98 E8 11 5A E7 D.i...+..@ ...Z. 00F0: 60 EB 7B AF 33 58 A4 C8 C1 E8 40 32 D4 E4 94 F1 `...3X....@2....

]

williamcroberts commented 4 years ago

Weird, I thought the code was doing this: https://github.com/tpm2-software/tpm2-pkcs11/blob/master/tools/tpm2_pkcs11/commandlets_keys.py#L615

Private Key Object; EC
  label:      1
  ID:         66346464383136373931656438373765
  Usage:      decrypt, sign
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104e4c56746093806f7f6a914258210c6a33c4d6ddf32ca24167738a11ef6db5fb2b134bac411e4bcb501d9787c39564eb02211b1932f4aba4187b4e2ae322ab362
  EC_PARAMS:  06082a8648ce3d030107
  label:      1
  ID:         66346464383136373931656438373765
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      1
  subject:    DN: CN=my key
  ID:         66346464383136373931656438373765

Im working on my local branch, perhaps I fixed this locally already.

timdesi commented 4 years ago

Thx. for your quick response.

Looks like you fixed this at your local brunch.

I checked commandlets_keys.py from master brunch again but with same results.

Private Key Object; RSA label: key8 ID: 32323365623039383737633439653432 Usage: decrypt, sign Public Key Object; RSA 2048 bits label: key8 ID: 32323365623039383737633439653432 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key8 subject: DN: CN=mykey8 ID: 6b657938

Private Key Object; EC label: key9 ID: 36396136643864346538343739383330 Usage: decrypt, sign Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104c127dea1f89b39e6cca43575579f03cc12ad7041b5bc3ca9ba6ecb42947d749019d77cbb735f0595e6324d268270291e708b268c05be5543a2e72742f140dd2d EC_PARAMS: 06082a8648ce3d030107 label: key9 ID: 36396136643864346538343739383330 Usage: encrypt, verify Certificate Object; type = X.509 cert label: key9 subject: DN: CN=mykey8 ID: 6b657939

williamcroberts commented 4 years ago

Should be fixed in: https://github.com/tpm2-software/tpm2-pkcs11/pull/344

timdesi commented 4 years ago

I have rechecked with #344 looks partially fixed.

  1. When tpm2_ptool command is used with --key-id option works as expected.
./tpm2_ptool addcert --label=token1 --key-id 32653133616331326666346565663533  rsa3cert.pem

Private Key Object; RSA 
  label:      rsa3
  ID:         32653133616331326666346565663533
  Usage:      decrypt, sign
Public Key Object; RSA 2048 bits
  label:      rsa3
  ID:         32653133616331326666346565663533
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      rsa3
  subject:    DN: CN=rsa3
  ID:         32653133616331326666346565663533
  1. When tpm2_ptool command is used with --key-label option cert label is encrypted label value of its private key.
./tpm2_ptool addcert --label=token1 --key-label rsa2  rsa2cert.pem

Private Key Object; RSA 
  label:      rsa2
  ID:         30353863356632326334393032316363
  Usage:      decrypt, sign
Public Key Object; RSA 2048 bits
  label:      rsa2
  ID:         30353863356632326334393032316363
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      058c5f22c49021cc
  subject:    DN: CN=rsa2
  ID:         30353863356632326334393032316363
williamcroberts commented 4 years ago

This is done in https://github.com/tpm2-software/tpm2-pkcs11/pull/344:

pkcs11-tool --module /home/wcrobert/workspace/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so --login --label label --list-objects

Private Key Object; EC
  label:      1
  ID:         32363130613961366266306331613961
  Usage:      decrypt, sign
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104e4c56746093806f7f6a914258210c6a33c4d6ddf32ca24167738a11ef6db5fb2b134bac411e4bcb501d9787c39564eb02211b1932f4aba4187b4e2ae322ab362
  EC_PARAMS:  06082a8648ce3d030107
  label:      1
  ID:         32363130613961366266306331613961
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      2610a9a6bf0c1a9a
  subject:    DN: CN=my key
  ID:         32363130613961366266306331613961