Closed Darsh-Dev closed 4 years ago
Please increase logging of pkcs11, steps provided e.g. in the other issue
Also what is the output of
p11tool --list-privkeys pkcs11:manufacturer=Infineon
Sure, I will share the logs after increase logging of pkcs11 @PeterHuewe
Pl see below output of,
root@stm32mp1-av96:~# p11tool --list-privkeys pkcs11:manufacturer=Infineon Object 0: URL: pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass;id=%34%66%38%63%37%64%35%31%39%39%35%66%30%35%61%61;object=greenkey;type =private Token 'greengrass' with URL 'pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass' requires user PIN Enter PIN: Type: Private key (RSA-2048) Label: greenkey Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 34:66:38:63:37:64:35:31:39:39:35:66:30:35:61:61
You have a SLB, but specified SLI in the url for the csr. Use the url, maybe in a shortened version, returned by p11tool as described in the guide.
Hi @PeterHuewe , I have tried with SLB as well, same error seen.
Now I get some update, Error reported as 3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
I changed the commands like Object=greenkey to lable-greenkey and tried it again.
OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;label=greenkey;type=private;pin-value=123456" -keyform engine -out /tm p/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069468688:error:80065064:pkcs11 engine:ctx_load_key:invalid id:eng_back.c:636: 3069468688:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key error in req OpenSSL>
Now Its give us invalid id:eng_back.c:636:.
also tried with export TPM2_PKCS11_LOG_LEVEL=2
No additional log seen.
openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /t mp/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069653008:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858: 3069653008:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key error in req OpenSSL>
Same error seen with suggested command.
Hi, what's the output of openssl engine -t -tt pkcs11 -c
Hi, @PeterHuewe
OpenSSL> engine -t -tt pkcs11 -c engine: Cannot mix flags and engine names. engine: Use -help for summary. error in engine OpenSSL>
Is there any simple command to just validate the pkcs and openssl ?
openssl engine -t -tt -c pkcs11
openssl engine -t -tt -c pkcs11
(pkcs11) pkcs11 engine
[RSA, rsaEncryption, id-ecPublicKey]
[ available ]
export TPM2_PKCS11_LOG_LEVEL=2
openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr
There I get a long log on the commandline, maybe post a screenshot
@PeterHuewe ,
root@stm32mp1-av96:~ export TPM2_PKCS11_LOG_LEVEL=2 root@stm32mp1-av96:~ openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -k eyform engine -out /tmp/req.csr engine "pkcs11" set. Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3069763600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858: 3069763600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory root@stm32mp1-av96:~#
No Additional logs seen even after "export TPM2_PKCS11_LOG_LEVEL=2"
Then the connection between pkcs11 engine and tpm2-pkcs11 seems to be broken. Please run with strace
strace openssl req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -k
eyform engine -out /tmp/req.csr
Which version of libp11 do you use?
Output of
ls -lah /usr/share/p11-kit/modules/
libp11 version used : 0.4.10, tried with 0.4.9 as well.
root@stm32mp1-av96:~# ls -lah /usr/share/p11-kit/modules/
total 16K
drwxr-xr-x 2 root root 4.0K Mar 9 2018 .
drwxr-xr-x 3 root root 4.0K Mar 9 2018 ..
-rw-r--r-- 1 root root 776 Mar 9 2018 p11-kit-trust.module
-rw-r--r-- 1 root root 40 Mar 9 2018 tpm2_pkcs11.module
root@stm32mp1-av96:~#
I will share the strace...
and maybe also share your openssl version
OpenSSL 1.1.1b
Please find the strace result, strace_openssl_log.zip
cat /etc/opensc.conf
Sure, I will share,
Meanwhile Please let know below command is Okay
OPENSSL > engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Hey @PeterHuewe ,
Issue is resolved Wrong Module is Loaded
Changed to
OPENSSL > engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so
root@stm32mp1-av96:~# openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /t
mp/req.csr
engine "pkcs11" set.
INFO on line: "395" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "395" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "383" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1903" in file: "src/lib/db.c": Using sqlite3 DB: "/opt/tpm2-pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "383" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "391" in file: "src/pkcs11.c": enter "C_GetInfo"
INFO on line: "391" in file: "src/pkcs11.c": return "C_GetInfo" value: 0
INFO on line: "399" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "399" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "399" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "399" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "403" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "403" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "407" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "407" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "435" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "435" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "447" in file: "src/pkcs11.c": enter "C_GetSessionInfo"
INFO on line: "447" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0
INFO on line: "459" in file: "src/pkcs11.c": enter "C_Login"
INFO on line: "459" in file: "src/pkcs11.c": return "C_Login" value: 0
INFO on line: "491" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "491" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "495" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "495" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "495" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "495" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "499" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "499" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "483" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "483" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 18
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
I do not have to set anything like this on my system.
why/usr/lib/opensc-pkcs11.so
?
I think here the path tolibtpm2_pkcs11.so
should be
Great - as said, I did not have to specify this on my system but okay. Can we close this ?
Yes @PeterHuewe Thanks for support Again
Hi,
I am following the steps as mentioned https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/
I am facing issue while Generate a certificate signing request the below command is used,