search

tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
271 stars 107 forks source link

Using tpm2-pkcs11 with GnuTLS p11tool and certtool #44

Closed stefanberger closed 4 years ago

stefanberger commented 5 years ago

I have been trying to get tpm2-pkcs11 to work with GnuTLS's p11tool, but haven't been successful. Do you happen to have some steps for how to create a TPM 2 key with your tools or p11tool (better) and use the key with the p11tool then? Maybe something is wrong with my setup.

I also posted a message with the other PKCS11 TPM 2 module that I couldn't get to work, either: https://github.com/irtimmer/tpm2-pk11/issues/84

dwmw2 commented 5 years ago

I think it's fixed to install the p11-kit .module file now so that it's actually seen by applications:

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
tpm2-pkcs11: tpm2-pkcs11.so
    library-description:  TPM2.0 Cryptoki
    library-manufacturer:  Intel
    library-version: 42.42
    token: label
        manufacturer: Intel
        model: TPM2 PKCS#11
        serial-number: 0000000000000000
        flags:
               rng
               login-required
               token-initialized

However, there are still locking issues:

$ p11tool --list-tokens
Token 0:
    URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
    Label: System Trust
    Type: Trust module
    Manufacturer: PKCS#11 Kit
    Model: p11-kit-trust
    Serial: 1
    Module: p11-kit-trust.so

ERROR: Could not lock mutex: Resource deadlock avoided
p11tool: src/lib/mutex.h:70: mutex_lock_fatal: Assertion `rv == CKR_OK' failed.
Aborted
dwmw2 commented 5 years ago

Which is probably https://github.com/tpm2-software/tpm2-pkcs11/issues/38 ?

stefanberger commented 5 years ago

I don't seem to have this locking issue at least...

# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.18
tpm2_pkcs11: libtpm2_pkcs11.so
    library-description:  TPM2.0 Cryptoki
    library-manufacturer:  Intel
    library-version: 42.42
# p11tool --list-tokens
Token 0:
    URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
    Label: System Trust
    Type: Trust module
    Flags: uPIN uninitialized
    Manufacturer: PKCS#11 Kit
    Model: p11-kit-trust
    Serial: 1
    Module: p11-kit-trust.so

Token 1:
    URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
    Label: Default Trust
    Type: Trust module
    Flags: uPIN uninitialized
    Manufacturer: PKCS#11 Kit
    Model: p11-kit-trust
    Serial: 1
    Module: p11-kit-trust.so
dwmw2 commented 5 years ago

That looks like the module isn't registered with the system at all. Are you running the latest version? That was supposed to have been fixed with commit 59f5a0a5511cb670164065e29f75294997ab725a which makes it install the p11-kit .module file. Did it? Where to?

stefanberger commented 5 years ago

It installed it to /usr/share/p11-kit/modules. At least it is showing up with the p11-kit list-modules command.

What I am also trying to figure out is how to run a command line like this one where I want to create a key

# p11tool --generate-privkey rsa --label mykey --bits 2048 --login "pkcs11:model=TPM2"
warning: no --outfile was specified and the generated public key will be printed on screen.
Generating an RSA key...
Error in pkcs11_generate:1311: The requested PKCS #11 object is not available
note: several smart cards do not support arbitrary size keys; try --bits 1024 or 2048.
dwmw2 commented 5 years ago

Did you create a token with tpm2_ptool.py addtoken … ?

williamcroberts commented 5 years ago

@stefanberger we do have documents on how to create keys with our provisioning tool. p11kit is very much WIP. We have examples for SSH but I haven't gotten around to TLS integration yet. Obviously, as you can see we have some locking bugs were working through ATM.

@dwmw2 looks like you got the configure --debug stuff enabled, is that right?

stefanberger commented 5 years ago

@dwmw2 That one bailed out with tpm2_createkey no accepting -C, which looks like was renamed to -c.

# ./tools/tpm2_ptool.py addtoken --pid 1 --sopin sopin --userpin userpin  --label lavel --pobj-pin 1234
auto-detecting TPM encryptdecrypt interface for wrapping key usage
Using "TPM" based object authorization protections
Traceback (most recent call last):
  File "./tools/tpm2_ptool.py", line 1283, in <module>
    main()
  File "./tools/tpm2_ptool.py", line 1280, in main
    commandlet.get()[which](d)
  File "./tools/tpm2_ptool.py", line 847, in __call__
    usersealauth['hash'], seal=wrappingobjauth['hash'])
  File "./tools/tpm2_ptool.py", line 244, in create
    raise RuntimeError("Could not execute tpm2_create: %s" % str(stderr))
RuntimeError: Could not execute tpm2_create: tpm2_create: invalid option -- 'C'

It looks like I have a mismatching set of tools... Changing this to -c in the code leads to some other issue.

@williamcroberts I noticed that tpm2-pkcs11 isn't packaged and I realize it may not be ready for use.

I have used TPM 1.2 via certtool and tpmtool + tcsd last week for signing of certs and was trying to see whether I could now also use TPM 2 for this...

williamcroberts commented 5 years ago

Yeah tpm2-pkcs11 is not close to ready, hence no releases yet. tpm2-pkcs11's tpm2_ptool.py script requires the master branch version of tpm2-tools.

stefanberger commented 5 years ago

Ok, thanks.

Maybe this would be the right sequence (once it's working):

# ./tools/tpm2_ptool.py addtoken --pid 1 --sopin sopin --userpin userpin  --label label --pobj-pin 1234
auto-detecting TPM encryptdecrypt interface for wrapping key usage
Using "TPM" based object authorization protections
Created token: label
# p11tool --generate-privkey rsa --label label --bits 2048 --login "pkcs11:model=TPM2 PKCS#11"
INFO on line: "54" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "55" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "54" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "55" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "39" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "40" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "49" in file: "src/pkcs11.c": enter "C_GetInfo"
INFO on line: "50" in file: "src/pkcs11.c": return "C_GetInfo" value: 0
warning: no --outfile was specified and the generated public key will be printed on screen.
Generating an RSA key...
INFO on line: "59" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "60" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "69" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "70" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "69" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "70" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
Error in pkcs11_generate:1311: The requested PKCS #11 object is not available
note: several smart cards do not support arbitrary size keys; try --bits 1024 or 2048.

This here now also causes the lock issue:

# ./tools/tpm2_ptool.py addkey --label label --algorithm rsa2048 --sopin sopin
Added key: 1
[root@localhost tpm2-pkcs11]# p11tool --list-keys 
INFO on line: "54" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "55" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "54" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "55" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "39" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "40" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "49" in file: "src/pkcs11.c": enter "C_GetInfo"
INFO on line: "50" in file: "src/pkcs11.c": return "C_GetInfo" value: 0
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
INFO on line: "59" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "60" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "69" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "70" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "64" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "65" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "104" in file: "src/pkcs11.c": enter "C_OpenSession"
ERROR on line: "113" in file: "src/lib/mutex.c": Could not lock mutex: Resource deadlock avoided
p11tool: src/lib/mutex.h:70: mutex_lock_fatal: Assertion `rv == CKR_OK' failed.
Aborted (core dumped)
williamcroberts commented 5 years ago

We don't support the generate interface from pkcs11 yet. You can use the tpm2_ptool.py addkey command.

stefanberger commented 5 years ago

@williamcroberts Indeed.

dwmw2 commented 5 years ago

It sounds like rather than continuing to heckle piecemeal, I should give you a chance to complete things.

Do you want to let me know when you want me to start poking at it again? In the meantime I think I already pointed you at the OpenConnect test suite which imports certs into a token and uses them from there. Let me know if you want anything else, or when it's time for me to start prodding again...

stefanberger commented 5 years ago

@dwmw2 I ended up commenting the locks out to see where it gets me and saw another issue. I think I'll have to come back to this in a while...

dwmw2 commented 5 years ago

Yeah, I also commented out the locks. Looks like we're best waiting for @williamcroberts to let us know when to try again. (But do let me know if you need any guidance in the meantime)

williamcroberts commented 5 years ago

I have a PR up: https://github.com/tpm2-software/tpm2-pkcs11/pull/47

That should start to fix some of the locking issues. It at list gets a p11tool command to run:

$ p11tool --list-token-urls
p11-kit: couldn't load module: /usr/local/lib/softhsm/libsofthsm2.so: /usr/local/lib/softhsm/libsofthsm2.so: file too short
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSSH%3aHOME;token=SSH%20Keys
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSECRET%3aMAIN;token=Secret%20Store
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aXDG%3aDEFAULT;token=User%20Key%20Storage
pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit

Im working through some examples with P11tool and writing up a new markdown documentation file. Hoping to have something up by the end of the week. It'll likely be read-only commands at the moment. Ill have to add support for write/create operations via PKCS11 API.

stefanberger commented 5 years ago

@williamcroberts great!

williamcroberts commented 5 years ago

more fixes: https://github.com/tpm2-software/tpm2-pkcs11/pull/48

dwmw2 commented 5 years ago

Thanks. Looking promising. Tried to import a key so that I could try using it from OpenConnect but...

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin --algorithm rsa2048
Traceback (most recent call last):
  File "./tpm2_ptool.py", line 1357, in <module>
    main()
  File "./tpm2_ptool.py", line 1354, in main
    commandlet.get()[which](d)
  File "./tpm2_ptool.py", line 1099, in __call__
    tertiarypriv, tertiarypub, tertiarypubdata = tpm2.create(sobjctx, sobjauth, objauth, alg=alg)
  File "./tpm2_ptool.py", line 245, in create
    raise RuntimeError("Could not execute tpm2_create: %s" % str(stderr))
RuntimeError: Could not execute tpm2_create: ERROR: Tss2_Sys_Create(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use
ERROR: Unable to run tpm2_create

And now I get this again, which is presumably a cleanup issue in the error path. Is there a way to remedy it without rebooting?

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin --algorithm rsa2048 
Traceback (most recent call last):
  File "./tpm2_ptool.py", line 1357, in <module>
    main()
  File "./tpm2_ptool.py", line 1354, in main
    commandlet.get()[which](d)
  File "./tpm2_ptool.py", line 1057, in __call__
    wrappingauth = tpm2.unseal(sealctx, sealauth)
  File "./tpm2_ptool.py", line 187, in unseal
    raise RuntimeError("Could not execute tpm2_unseal: %s", stderr)
RuntimeError: ('Could not execute tpm2_unseal: %s', 'ERROR: Tss2_Sys_ContextLoad(0x902) - tpm:warn(2.0): out of memory for object contexts\nERROR: Could not load object, got: "/tmp/tmpGTxDJX/c0388d9e86b94d39b172ff75b18f05d6.out"\nERROR: Unable to run tpm2_unseal\n')
williamcroberts commented 5 years ago

-----Original Message----- From: David Woodhouse [mailto:notifications@github.com] Sent: Wednesday, October 17, 2018 3:51 PM To: tpm2-software/tpm2-pkcs11 tpm2-pkcs11@noreply.github.com Cc: Roberts, William C william.c.roberts@intel.com; Mention mention@noreply.github.com Subject: Re: [tpm2-software/tpm2-pkcs11] Using tpm2-pkcs11 with GnuTLS p11tool and certtool (#44)

Thanks. Looking promising. Tried to import a key so that I could try using it from OpenConnect but...

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin -- algorithm rsa2048 Traceback (most recent call last): File "./tpm2_ptool.py", line 1357, in main() File "./tpm2_ptool.py", line 1354, in main commandlet.get()which File "./tpm2_ptool.py", line 1099, in call tertiarypriv, tertiarypub, tertiarypubdata = tpm2.create(sobjctx, sobjauth, objauth, alg=alg) File "./tpm2_ptool.py", line 245, in create raise RuntimeError("Could not execute tpm2_create: %s" % str(stderr)) RuntimeError: Could not execute tpm2_create: ERROR: Tss2_Sys_Create(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use ERROR: Unable to run tpm2_create

Hmmm. I wonder is this is a problem of your TPM only supporting AES128 and thus a parent Object (sobject) of type aes128. Then the symmetric details of the RSA key you're trying to create being aes256.

That should be a simple fix.

And now I get this again, which is presumably a cleanup issue in the error path. Is there a way to remedy it without rebooting?

Weird. If addkey fails on the tpm2_create call, then it shouldn't be adding anything. However, are you not using a resource manager? The resource manager should Be evicting everything on process exit. The code was written expecting a Resource manager.

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin -- algorithm rsa2048 Traceback (most recent call last): File "./tpm2_ptool.py", line 1357, in main() File "./tpm2_ptool.py", line 1354, in main commandlet.get()which File "./tpm2_ptool.py", line 1057, in call wrappingauth = tpm2.unseal(sealctx, sealauth) File "./tpm2_ptool.py", line 187, in unseal raise RuntimeError("Could not execute tpm2_unseal: %s", stderr) RuntimeError: ('Could not execute tpm2_unseal: %s', 'ERROR: Tss2_Sys_ContextLoad(0x902) - tpm:warn(2.0): out of memory for object contexts\nERROR: Could not load object, got: "/tmp/tmpGTxDJX/c0388d9e86b94d39b172ff75b18f05d6.out"\nERROR: Unable to run tpm2_unseal\n')

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tpm2- software/tpm2-pkcs11/issues/44#issuecomment-430816458 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQ7bB- qW6kd3ipFZQH6pAxokNxkj2RHNks5ul7RGgaJpZM4Xc74E . https://github.com/notifications/beacon/AQ7bByLZaf5DK_RJRg2psd2P- TVc3tmoks5ul7RGgaJpZM4Xc74E.gif

williamcroberts commented 5 years ago

-----Original Message----- From: Roberts, William C Sent: Thursday, October 18, 2018 8:31 AM To: tpm2-software/tpm2-pkcs11 <reply+010edb07f1d8858c00650681358e721f6dffa2261f64733892cf0000000117df7 ec692a169ce16124a47@reply.github.com>; tpm2-software/tpm2-pkcs11 <tpm2- pkcs11@noreply.github.com> Cc: Mention mention@noreply.github.com Subject: RE: [tpm2-software/tpm2-pkcs11] Using tpm2-pkcs11 with GnuTLS p11tool and certtool (#44)

-----Original Message----- From: David Woodhouse [mailto:notifications@github.com] Sent: Wednesday, October 17, 2018 3:51 PM To: tpm2-software/tpm2-pkcs11 tpm2-pkcs11@noreply.github.com Cc: Roberts, William C william.c.roberts@intel.com; Mention mention@noreply.github.com Subject: Re: [tpm2-software/tpm2-pkcs11] Using tpm2-pkcs11 with GnuTLS p11tool and certtool (#44)

Thanks. Looking promising. Tried to import a key so that I could try using it from OpenConnect but...

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin -- algorithm rsa2048 Traceback (most recent call last): File "./tpm2_ptool.py", line 1357, in main() File "./tpm2_ptool.py", line 1354, in main commandlet.get()which File "./tpm2_ptool.py", line 1099, in call tertiarypriv, tertiarypub, tertiarypubdata = tpm2.create(sobjctx, sobjauth, objauth, alg=alg) File "./tpm2_ptool.py", line 245, in create raise RuntimeError("Could not execute tpm2_create: %s" % str(stderr)) RuntimeError: Could not execute tpm2_create: ERROR: Tss2_Sys_Create(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use ERROR: Unable to run tpm2_create

Hmmm. I wonder is this is a problem of your TPM only supporting AES128 and thus a parent Object (sobject) of type aes128. Then the symmetric details of the RSA key you're trying to create being aes256.

I don't think that’s it... tpm2_create -C parent.ctx -G rsa2048 defaults to:

scheme:
  value: null
  raw: 0x10
scheme-halg:
  value: (null)
  raw: 0x0
sym-alg:
  value: null
  raw: 0x10
sym-mode:
  value: (null)
  raw: 0x0
sym-keybits: 0

I can't recreate this error, so if it would be something you would debug, that would be helpful. Perhaps it's something the simulator isn't checking correctly or something your actual TPM has wrong (errata?)

That should be a simple fix.

And now I get this again, which is presumably a cleanup issue in the error path. Is there a way to remedy it without rebooting?

Weird. If addkey fails on the tpm2_create call, then it shouldn't be adding anything. However, are you not using a resource manager? The resource manager should Be evicting everything on process exit. The code was written expecting a Resource manager.

$ ./tpm2_ptool.py addkey --label label --id foobar --userpin myuserpin -- algorithm rsa2048 Traceback (most recent call last): File "./tpm2_ptool.py", line 1357, in main() File "./tpm2_ptool.py", line 1354, in main commandlet.get()which File "./tpm2_ptool.py", line 1057, in call wrappingauth = tpm2.unseal(sealctx, sealauth) File "./tpm2_ptool.py", line 187, in unseal raise RuntimeError("Could not execute tpm2_unseal: %s", stderr) RuntimeError: ('Could not execute tpm2_unseal: %s', 'ERROR: Tss2_Sys_ContextLoad(0x902) - tpm:warn(2.0): out of memory for object contexts\nERROR: Could not load object, got: "/tmp/tmpGTxDJX/c0388d9e86b94d39b172ff75b18f05d6.out"\nERROR: Unable to run tpm2_unseal\n')

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tpm2- software/tpm2-pkcs11/issues/44#issuecomment-430816458 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQ7bB- qW6kd3ipFZQH6pAxokNxkj2RHNks5ul7RGgaJpZM4Xc74E . https://github.com/notifications/beacon/AQ7bByLZaf5DK_RJRg2psd2P- TVc3tmoks5ul7RGgaJpZM4Xc74E.gif

dwmw2 commented 5 years ago

This is what it seems to be doing...

tpm2_load -C 2164260864 -P hex:6c4f83af2b70c6fa60709516bcfa82886d7820a38ca5d7a02aa64f08768d9699 -u /home/dwmw/.tpm2_pkcs11/c1Srzs.pub -r /home/dwmw/.tpm2_pkcs11/kZ_cQ4.priv -n /dev/null -o /tmp/tmp_XoJta/53c78444fa874d33af33bf11af7fa3ff.out
tpm2_unseal -c /tmp/tmp_XoJta/53c78444fa874d33af33bf11af7fa3ff.out -p hex:99ed0f5df8ebcc0d0bae90666ada49e6dbc0d39439b47f9b41ad48cd3aeb5249
tpm2_load -C 2164260864 -P hex:6c4f83af2b70c6fa60709516bcfa82886d7820a38ca5d7a02aa64f08768d9699 -u /home/dwmw/.tpm2_pkcs11/yjZtsT.pub -r /home/dwmw/.tpm2_pkcs11/MS6kx1.priv -n /dev/null -o /tmp/tmp_XoJta/edd060e3ce7b465d9ec2d55d08a3804f.out
tpm2_create -C /tmp/tmp_XoJta/edd060e3ce7b465d9ec2d55d08a3804f.out -u /tmp/tmp_XoJta/kB4_1Z.pub -r /tmp/tmp_XoJta/uzTL8O.priv -P hex:d66421ef50faa3798de1cb36e457f310c033f1bf01d752751be968840207b3aa -p hex:8bae12fe77b295518dfc7ff584beb2a5d1d42bbea252af99e6d20f63913d005c -G rsa2048
williamcroberts commented 5 years ago

-----Original Message----- From: David Woodhouse [mailto:notifications@github.com] Sent: Friday, October 19, 2018 1:18 AM To: tpm2-software/tpm2-pkcs11 tpm2-pkcs11@noreply.github.com Cc: Roberts, William C william.c.roberts@intel.com; Mention mention@noreply.github.com Subject: Re: [tpm2-software/tpm2-pkcs11] Using tpm2-pkcs11 with GnuTLS p11tool and certtool (#44)

This is what it seems to be doing...

tpm2_load -C 2164260864 -P hex:6c4f83af2b70c6fa60709516bcfa82886d7820a38ca5d7a02aa64f08768d9699 -u /home/dwmw/.tpm2_pkcs11/c1Srzs.pub -r /home/dwmw/.tpm2_pkcs11/kZ_cQ4.priv -n /dev/null -o /tmp/tmp_XoJta/53c78444fa874d33af33bf11af7fa3ff.out tpm2_unseal -c /tmp/tmp_XoJta/53c78444fa874d33af33bf11af7fa3ff.out -p hex:99ed0f5df8ebcc0d0bae90666ada49e6dbc0d39439b47f9b41ad48cd3aeb5249 tpm2_load -C 2164260864 -P hex:6c4f83af2b70c6fa60709516bcfa82886d7820a38ca5d7a02aa64f08768d9699 -u /home/dwmw/.tpm2_pkcs11/yjZtsT.pub -r /home/dwmw/.tpm2_pkcs11/MS6kx1.priv -n /dev/null -o /tmp/tmp_XoJta/edd060e3ce7b465d9ec2d55d08a3804f.out tpm2_create -C /tmp/tmp_XoJta/edd060e3ce7b465d9ec2d55d08a3804f.out -u /tmp/tmp_XoJta/kB4_1Z.pub -r /tmp/tmp_XoJta/uzTL8O.priv -P hex:d66421ef50faa3798de1cb36e457f310c033f1bf01d752751be968840207b3aa -p hex:8bae12fe77b295518dfc7ff584beb2a5d1d42bbea252af99e6d20f63913d005c -G rsa2048

I wish I could help you, I don't know why the create is failing on your machine. Can you try aes128 or rsa1024?

PeterHuewe commented 5 years ago

@dwmw2: At init_token do a create_primary with -G rsa2048:aes128 At add_token do a create with -G rsa2048:aes128 (not only aes) At add_key do a create with -G rsa2048

This works on my physical Infineon TPM SLB 9670 :)

stefanberger commented 5 years ago

So I created an rsa2048 key and I am trying to use it for signing.

#> p11tool --test-sign 'pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit;id=%34%37%66%33%61%32%31%38%32%33%66%30%37%38%63%30;object=myfirstkey;type=private'
Signing using RSA-SHA256... Cannot sign data: PKCS #11 user erro

It looks like the error is due to the client not being logged in when C_SignInit() is called and then fails in common_init due to this. Should the client be logged in at this point? The PKCS11 specs here http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html say:

"Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit). In this call, the actual user type is implicitly given by the usage requirements of the active key. If C_Login returns CKR_OK the user was successfully authenticated and this sets the active key in an authenticated state that lasts until the cryptographic operation has successfully or unsuccessfully been completed (e.g. by C_Sign, C_SignFinal,..)."

It sounds like C_SignInit() shouldn't require a client to be logged.

PeterHuewe commented 5 years ago

@stefanberger @dwmw2 Can you retry with the current status whether this is still an issue?

stefanberger commented 5 years ago

It works for me. I had to remove some parts from the pkcs11 URI for it to work...

$ GNUTLS_PIN=userpin p11tool --test-sign 'pkcs11:model=SW%20%20%20TPM;id=1'
Signing using RSA-SHA256... ok
Verifying against private key parameters... ok
Verifying against public key in the token... ok

The full pkcs11 URI would not work:

$ GNUTLS_PIN=userpin p11tool --test-sign 'pkcs11:model=SW%20%20%20TPM;manufacturer=IBM;serial=0000000000000000;token=0000000000000000%0D%04;id=1;object=mykey;type=private'
Cannot import private key: The requested PKCS #11 object is not available

The preceding command sequence was approximately like this:

rm -rf ~/.tpm2_pkcs11/
./tpm2_ptool init --pobj-pin pin
./tpm2_ptool addtoken --pid 1 --sopin sopin --userpin userpin --label label --pobj-pin pin
./tpm2_ptool addkey --label label --userpin userpin --id 1 --key-label mykey --algorithm rsa2048
p11tool --list-tokens
p11tool --list-keys pkcs11:model=SW%20%20%20TPM
# this also works to create a key:
 GNUTLS_PIN=userpin p11tool --generate-privkey rsa --label label --bits 2048 "pkcs11:model=SW%20%20%20TPM"