search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
150 stars 100 forks source link

TPM2-TSS engine self-signed certificate gives 0x000002c4 error from different .c files #254

Closed swanand-gadre closed 1 year ago

swanand-gadre commented 2 years ago

I am new to TPM2TSS engine

I am running basic commands from exercise here https://github.com/tpm2-software/tpm2-tss-engine#self-signed-certificate-generate-operation

However it gives following error

tpm2tss-genkey -a ecdsa -v -s 256 pri_pub_blob.key

openssl req -new -x509 -engine tpm2tss -keyform engine -key pri_pub_blob.key -out client.crt

WARNING:esys:src/tss2-esys/api/Esys_SequenceComplete.c:323:Esys_SequenceComplete_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_SequenceComplete.c:111:Esys_SequenceComplete() Esys Finish ErrorCode (0x000002c4) 139905501976384:error:8009806D:tpm2-tss-engine:func(152):Unknown TPM error occurred. Please check tpm2tss logs:src/tpm2-tss-engine-digest-sign.c:150: 139905501976384:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:

0x000002c4 code seems to be generic

Question 1 - What is significance of 0x000002c4 error code ?

Question 2 - Any idea what is wrong in the commands where I am trying to create CSR based on exercise ?

openssl engine tpm2tss -c -t (tpm2tss) TPM2-TSS engine for OpenSSL [RSA, RAND] [ available ]

Other exercises like, -- RSA decrypt -- RSA signing -- ECDSA operations are working fine

Other environment details are

host OS - Rocky Linux release 8.4 (Green Obsidian)

rpm -qa | grep openssl openssl-1.1.1k-5.el8_5.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64 openssl-libs-1.1.1k-5.el8_5.x86_64 openssl-devel-1.1.1k-5.el8_5.x86_64

rpm -qa | grep tpm2 tpm2-pkcs11-1.3.2-2.el8.x86_64 tpm2-abrmd-selinux-2.3.1-1.el8.noarch tpm2-pkcs11-tools-1.3.2-2.el8.x86_64 tpm2-tss-2.3.2-4.el8.x86_64 tpm2-tss-devel-2.3.2-4.el8.x86_64 tpm2-abrmd-2.3.3-2.el8.x86_64 tpm2-tools-4.1.1-5.el8.x86_64

Let me know

williamcroberts commented 2 years ago

I am new to TPM2TSS engine

I am running basic commands from exercise here https://github.com/tpm2-software/tpm2-tss-engine#self-signed-certificate-generate-operation

However it gives following error

tpm2tss-genkey -a ecdsa -v -s 256 pri_pub_blob.key

openssl req -new -x509 -engine tpm2tss -keyform engine -key pri_pub_blob.key -out client.crt

WARNING:esys:src/tss2-esys/api/Esys_SequenceComplete.c:323:Esys_SequenceComplete_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_SequenceComplete.c:111:Esys_SequenceComplete() Esys Finish ErrorCode (0x000002c4) 139905501976384:error:8009806D:tpm2-tss-engine:func(152):Unknown TPM error occurred. Please check tpm2tss logs:src/tpm2-tss-engine-digest-sign.c:150: 139905501976384:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:

0x000002c4 code seems to be generic

Question 1 - What is significance of 0x000002c4 error code ?

tpm2 rc_decode 0x000002c4 tpm:parameter(2):value is out of range or is not correct for the context

Question 2 - Any idea what is wrong in the commands where I am trying to create CSR based on exercise ?

openssl engine tpm2tss -c -t (tpm2tss) TPM2-TSS engine for OpenSSL [RSA, RAND] [ available ]

Other exercises like, -- RSA decrypt -- RSA signing -- ECDSA operations are working fine

Other environment details are

host OS - Rocky Linux release 8.4 (Green Obsidian)

rpm -qa | grep openssl openssl-1.1.1k-5.el8_5.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64 openssl-libs-1.1.1k-5.el8_5.x86_64 openssl-devel-1.1.1k-5.el8_5.x86_64

rpm -qa | grep tpm2 tpm2-pkcs11-1.3.2-2.el8.x86_64 tpm2-abrmd-selinux-2.3.1-1.el8.noarch tpm2-pkcs11-tools-1.3.2-2.el8.x86_64 tpm2-tss-2.3.2-4.el8.x86_64 tpm2-tss-devel-2.3.2-4.el8.x86_64 tpm2-abrmd-2.3.3-2.el8.x86_64 tpm2-tools-4.1.1-5.el8.x86_64

Let me know

It could be that your TPM doesn't support that signing algorithm. Is their anyway you could get us the bytes headed to the TPM or the parameters (tpm2-abrmd[1] or the pcap tcti[2]) to the Esys_Sign command (use gdb and set a break point and dump them)?

[1] tpm2-abrmd logs them if you turn on some log level, I thing G_DEBUG variable offhand. [2] https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-tcti-pcap.7.in. You'll need to set the TPM2TSSENGINE_TCTI env variable to control the TCTI in use. You'll want something like pcap:tpm2-abrmd as the value.

swanand-gadre commented 2 years ago

Ok, checking

swanand-gadre commented 2 years ago

TSS2_LOG=tcti+DEBUG /usr/local/bin/tpm2tss-genkey -a ecdsa -v -s 256 pri_pub_blob.key Engine name: TPM2-TSS engine for OpenSSL Init result: 1 Generating the ecdsa key debug:tcti:src/tss2-tcti/tctildr-dl.c:293:tctildr_get_tcti() name: "(null)", conf: "(null)" debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-default.so debug:tcti:src/tss2-tcti/tctildr.c:85:tcti_from_init() Initialized TCTI for config: (null) debug:tcti:src/tss2-tcti/tctildr.c:113:tcti_from_info() Initialized TCTI named: tcti-device debug:tcti:src/tss2-tcti/tctildr-dl.c:158:tcti_from_file() Initialized TCTI file: libtss2-tcti-default.so debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 22 byte command buffer: (size=22): 8001000000160000 017a000000000000 00000000007f debug:tcti:src/util/io.c:89:write_all() writing 22 bytes starting at 0x15b2da0 to fd 3 debug:tcti:src/util/io.c:100:write_all() wrote 22 bytes to fd 3 debug:tcti:src/tss2-tcti/tcti-device.c:297:tcti_device_receive() Response Received (size=133): 8001000000850000 0000000000000000 0000130001000000 0900040000000400 0500000104000600 0000020008000003 0c000a0000000600 0b00000004001400 0001010015000002 0100160000010100 1700000201001800 0005010019000004 01001a0000010100 2000000404002200 0004040023000000 0900250000000800 4300000202 debug:tcti:src/tss2-tcti/tcti-device.c:311:tcti_device_receive() Size from header 133 bytes read 133 debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 67 byte command buffer: (size=67): 8002000000430000 0131400000010000 0009400000090000 0000000004000000 00001a0023000b00 0304720000000600 8000430010000300 1000000000000000 000000 debug:tcti:src/util/io.c:89:write_all() writing 67 bytes starting at 0x15b2da0 to fd 3 debug:tcti:src/util/io.c:100:write_all() wrote 67 bytes to fd 3 debug:tcti:src/tss2-tcti/tcti-device.c:297:tcti_device_receive() Response Received (size=282): 80020000011a0000 0000800000030000 0103005a0023000b 0003047200000006 0080004300100003 00100020dc20ba63 7b924042468aa323 ed2d1e61eb872b92 e708e9b8b38cfe40 72eb9521002073de f2473119be59f03e 630cfb6b716073af 76042eaeb06950be 8b41e8bce4190037 000000000020e3b0 c44298fc1c149afb f4c8996fb92427ae 41e4649b934ca495 991b7852b8550100 1000044000000100 0440000001000000 205da041bac0ee31 35aebb0cadfba497 c6a1877fae832dd3 d1f8f7a871b825e8 5480214000000100 202e3f79d5c4ce1e 17a3c59b087c3fd7 d374d07e8ee9558e ee211f77b494deee 420022000b0bb3e7 05a7bed30f8653fc ae497e564a164854 b063a16f7957b271 7870cb2b38000001 0000 debug:tcti:src/tss2-tcti/tcti-device.c:311:tcti_device_receive() Size from header 282 bytes read 282 debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 63 byte command buffer: (size=63): 80020000003f0000 0153800000030000 0009400000090000 0000000004000000 0000160023000b00 0404720000001000 1000030010000000 00000000000000 debug:tcti:src/util/io.c:89:write_all() writing 63 bytes starting at 0x15b2da0 to fd 3 debug:tcti:src/util/io.c:100:write_all() wrote 63 bytes to fd 3 debug:tcti:src/tss2-tcti/tcti-device.c:297:tcti_device_receive() Response Received (size=10): 80010000000a0000 0902 debug:tcti:src/tss2-tcti/tcti-device.c:311:tcti_device_receive() Size from header 10 bytes read 10 WARNING:esys:src/tss2-esys/api/Esys_Create.c:375:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:120:Esys_Create() Esys Finish ErrorCode (0x00000902) debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 14 byte command buffer: (size=14): 80010000000e0000 016580000003 debug:tcti:src/util/io.c:89:write_all() writing 14 bytes starting at 0x15b2da0 to fd 3 debug:tcti:src/util/io.c:100:write_all() wrote 14 bytes to fd 3 debug:tcti:src/tss2-tcti/tcti-device.c:297:tcti_device_receive() Response Received (size=10): 80010000000a0000 0000 debug:tcti:src/tss2-tcti/tcti-device.c:311:tcti_device_receive() Size from header 10 bytes read 10 Error: Generating key failed Key could not be generated.

swanand-gadre commented 2 years ago

Is this helpful, where tpm2tss-genkey -a ecdsa -v -s 256 pri_pub_blob.key is failing with

WARNING:esys:src/tss2-esys/api/Esys_Create.c:375:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:120:Esys_Create() Esys Finish ErrorCode (0x00000902)

AndreasFuchsTPM commented 1 year ago

Yes, this means that the TPM has 3 object already inside its RAM and cannot load more. Try tpm2_flushcontext -t