Request Error

[roberto497]

I generated the private achev using the genkey, then generated the .csr, sent to my server and generated the .pem using the CA, I am trying to make a request using Python and it is returning the following error:

` import requests

cert_file_path = "client.crt" key_file_path = "private.key"

url = "https://IP_SERVER" cert = (cert_file_path, key_file_path) r = requests.get (url, cert = cert, verify = False)

print (r.status_code) ` Error:

requests.exceptions.SSLError: HTTPSConnectionPool (host = '189.36.10.80', port = 20443): Max retries exceeded with url: / (Caused by SSLError (SSLError (336265225, '[SSL] PEM lib (_ssl.c: 3507) (I.e.

Can anyone help me with this

[roberto497]

Is it possible to use the tpm2tss engine with pycurl?

[roberto497]

I try run this command: curl -k --engine tpm2tss --cert client.crt --key private.key --key-type ENG --tlsv1.2 -v https://MY_URL return this output:

• Rebuilt URL to: https://-----------------
• Trying --------..
• TCP_NODELAY set
• Connected to ---------- 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: ------------------
• start date: May 9 19:45:55 2018 GMT
• expire date: May 9 00:00:00 2019 GMT
• issuer: --------------------
• SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

  GET / HTTP/1.1 Host: -------------- User-Agent: curl/7.58.0 Accept: /

• TLSv1.2 (IN), TLS handshake, Hello request (0):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Request CERT (13):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16): WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so
• TLSv1.2 (OUT), TLS handshake, CERT verify (15):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• OpenSSL SSL_read: error:25066067:DSO support routines:dlfcn_load:could not load the shared library, errno 11
• stopped the pause stream!
• Closing connection 0 curl: (56) OpenSSL SSL_read: error:25066067:DSO support routines:dlfcn_load:could not load the shared library, errno 11

[AndreasFuchsTPM]

Could you provide the sequence for all command for me to reproduce your scenario ? All the way from key generation, cert requesting, cert response to usage in python ?

[roberto497]

MACHINE: 1) Generate the Key tpm2tss-genkey -a ecdsa -v -s 256 private.key 2) Generate the .CSR openssl req -out client.csr -new -newkey rsa:2048 -engine tpm2tss -keyform engine -key private.key -subj "/C=BR/ST=SP/L=Sao Paulo/O=Grupo Tecnowise/CN=MAQ-1542-8598545854"

SERVER: openssl x509 -req -days 1028 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

so I sent client.crt to the machine and ran the python script.

[AndreasFuchsTPM]

One more thing, what's your OpenSSL and python version and what OS/version are on ?

[roberto497]

One more thing, what's your OpenSSL and python version and what OS/version are on ? OpenSSL 1.1.0g 2 Nov 2017 Python 3.6.7 Ubuntu 18.04

[roberto497]

@AndreasFuchsSIT I tried several different ones and so far I have not been able to make a request in my server api using a key pair created in tpm, plus any suggestions?

[roberto497]

Solved

Generate key

tpm2_createprimary -a o -g sha256 -G rsa -o po.ctx tpm2_flushcontext -t tpm2_create -C po.ctx -g sha256 -G rsa -u rsakey.pub -r rsakey tpm2_flushcontext -t tpm2_load -C po.ctx -u rsakey.pub -r rsakey -o rsakey.ctx tpm2_flushcontext -t tpm2_evictcontrol -a o -c rsakey.ctx -p 0x81010003 tpm2_flushcontext -t tpm2_readpublic -c 0x81010003 -o rsa.pem -f pem

Generate .csr openssl req -new -engine tpm2tss -keyform engine -out client.csr -key 0x81010003

Curl command curl -k --engine tpm2tss --cert client.crt --key 0x81010003 --key-type ENG --tlsv1.2 -v https://my_api

[AndreasFuchsTPM]

Ok, that's already good. I'll reopen the gut though, because we don't want to be restricted to persistent keys. Thanks for the effort and demonstration though.

I'll assume that the reason is the equivalent of -keyform engine from the commandline tool. Don't know if --key-type ENG actaully does thios 1to1.

[AndreasFuchsTPM]

Apparently this issue is a duplicate of #93 and https://github.com/tpm2-software/tpm2-tss-engine/issues/93#issuecomment-473865216 fixes this issue here as well.