search

tpm2-software / tpm2-pkcs11

A PKCS#11 interface for TPM2 hardware
https://tpm2-software.github.io
Other
269 stars 106 forks source link

Error while generate a certificate signing request - PKCS11_get_private_key #484

Closed Darsh-Dev closed 4 years ago

Darsh-Dev commented 4 years ago

Hi,

I am following the steps as mentioned https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/

I am facing issue while Generate a certificate signing request the below command is used,

openssl req -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine

openssl req -verbose -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=1 23456" -keyform engine -out /tmp/req.csr engine "pkcs11" set. Using configuration from /usr/lib/ssl-1.1/openssl.cnf Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862: 3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory root@stm32mp1-av96:~#

PeterHuewe commented 4 years ago

Please increase logging of pkcs11, steps provided e.g. in the other issue

PeterHuewe commented 4 years ago

Also what is the output of p11tool --list-privkeys pkcs11:manufacturer=Infineon

Darsh-Dev commented 4 years ago

Sure, I will share the logs after increase logging of pkcs11 @PeterHuewe

Pl see below output of,

root@stm32mp1-av96:~# p11tool --list-privkeys pkcs11:manufacturer=Infineon Object 0: URL: pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass;id=%34%66%38%63%37%64%35%31%39%39%35%66%30%35%61%61;object=greenkey;type =private Token 'greengrass' with URL 'pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass' requires user PIN Enter PIN: Type: Private key (RSA-2048) Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 34:66:38:63:37:64:35:31:39:39:35:66:30:35:61:61

PeterHuewe commented 4 years ago

You have a SLB, but specified SLI in the url for the csr. Use the url, maybe in a shortened version, returned by p11tool as described in the guide.

Darsh-Dev commented 4 years ago

Hi @PeterHuewe , I have tried with SLB as well, same error seen.

Now I get some update, Error reported as 3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:

I changed the commands like Object=greenkey to lable-greenkey and tried it again.

OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;label=greenkey;type=private;pin-value=123456" -keyform engine -out /tm p/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069468688:error:80065064:pkcs11 engine:ctx_load_key:invalid id:eng_back.c:636: 3069468688:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key error in req OpenSSL>

Now Its give us invalid id:eng_back.c:636:.

Darsh-Dev commented 4 years ago

also tried with export TPM2_PKCS11_LOG_LEVEL=2 No additional log seen.

PeterHuewe commented 4 years ago

openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr

Darsh-Dev commented 4 years ago

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support

Loaded: (pkcs11) pkcs11 engine

OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /t mp/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069653008:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858: 3069653008:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key error in req OpenSSL>

Same error seen with suggested command.

PeterHuewe commented 4 years ago

Hi, what's the output of openssl engine -t -tt pkcs11 -c

Darsh-Dev commented 4 years ago

Hi, @PeterHuewe

OpenSSL> engine -t -tt pkcs11 -c engine: Cannot mix flags and engine names. engine: Use -help for summary. error in engine OpenSSL>

Darsh-Dev commented 4 years ago

Is there any simple command to just validate the pkcs and openssl ?

PeterHuewe commented 4 years ago

openssl engine -t -tt -c pkcs11

Darsh-Dev commented 4 years ago 
openssl engine -t -tt -c pkcs11
(pkcs11) pkcs11 engine
 [RSA, rsaEncryption, id-ecPublicKey]
     [ available ]
PeterHuewe commented 4 years ago 
export TPM2_PKCS11_LOG_LEVEL=2
openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr

There I get a long log on the commandline, maybe post a screenshot

Darsh-Dev commented 4 years ago

@PeterHuewe ,

root@stm32mp1-av96:~ export TPM2_PKCS11_LOG_LEVEL=2 root@stm32mp1-av96:~ openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -k eyform engine -out /tmp/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069763600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858: 3069763600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory root@stm32mp1-av96:~#

No Additional logs seen even after "export TPM2_PKCS11_LOG_LEVEL=2"

PeterHuewe commented 4 years ago

Then the connection between pkcs11 engine and tpm2-pkcs11 seems to be broken. Please run with strace

strace  openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -k
eyform engine -out /tmp/req.csr

Which version of libp11 do you use? Output of
ls -lah /usr/share/p11-kit/modules/

Darsh-Dev commented 4 years ago

libp11 version used : 0.4.10, tried with 0.4.9 as well.

root@stm32mp1-av96:~# ls -lah /usr/share/p11-kit/modules/
total 16K
drwxr-xr-x 2 root root 4.0K Mar  9  2018 .
drwxr-xr-x 3 root root 4.0K Mar  9  2018 ..
-rw-r--r-- 1 root root  776 Mar  9  2018 p11-kit-trust.module
-rw-r--r-- 1 root root   40 Mar  9  2018 tpm2_pkcs11.module
root@stm32mp1-av96:~#

I will share the strace...

PeterHuewe commented 4 years ago

and maybe also share your openssl version

Darsh-Dev commented 4 years ago

OpenSSL 1.1.1b

Please find the strace result, strace_openssl_log.zip

PeterHuewe commented 4 years ago

cat /etc/opensc.conf

Darsh-Dev commented 4 years ago

Sure, I will share,

Meanwhile Please let know below command is Okay

OPENSSL > engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so

Darsh-Dev commented 4 years ago

Hey @PeterHuewe ,

Issue is resolved Wrong Module is Loaded

Changed to OPENSSL > engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so

root@stm32mp1-av96:~# openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /t
mp/req.csr
engine "pkcs11" set.
INFO on line: "395" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "395" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "383" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1903" in file: "src/lib/db.c": Using sqlite3 DB: "/opt/tpm2-pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "383" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "391" in file: "src/pkcs11.c": enter "C_GetInfo"
INFO on line: "391" in file: "src/pkcs11.c": return "C_GetInfo" value: 0
INFO on line: "399" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "399" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "399" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "399" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "403" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "403" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "407" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "407" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "435" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "435" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "447" in file: "src/pkcs11.c": enter "C_GetSessionInfo"
INFO on line: "447" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0
INFO on line: "459" in file: "src/pkcs11.c": enter "C_Login"
INFO on line: "459" in file: "src/pkcs11.c": return "C_Login" value: 0
INFO on line: "491" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "491" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "495" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "495" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "495" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "495" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "499" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "499" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 18
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
PeterHuewe commented 4 years ago

I do not have to set anything like this on my system. why/usr/lib/opensc-pkcs11.so? I think here the path tolibtpm2_pkcs11.so should be

PeterHuewe commented 4 years ago

Great - as said, I did not have to specify this on my system but okay. Can we close this ?

Darsh-Dev commented 4 years ago

Yes @PeterHuewe Thanks for support Again