Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot CA sign CSRs, failures with tpm2 provider. #84

Open
paultaiton opened this issue Aug 17, 2023 · 4 comments
Open

Cannot CA sign CSRs, failures with tpm2 provider. #84

paultaiton opened this issue Aug 17, 2023 · 4 comments

Comments

@paultaiton
Copy link

I'm on Gentoo with openssl-3.0.9-r2 and tpm2-openssl-1.1.1, tpm2-tss-4.0.1, and am failing to sign CSRs using a CA with a key based on tpm2 provider. I can use the same key to decrypt files run through its pubkey, but CA fails. This same TPM was previously working for CA signing on 1.1.1u with tpm2-tss engine. Everything was regenerated for new openssl version and tpm2 provider. Attempts to sign CSRs result in the following

Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
WARNING:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:314:Esys_LoadExternal_Finish() Received TPM Error 
ERROR:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:108:Esys_LoadExternal() Esys Finish ErrorCode (0x000002c4) 
Signature did not match the certificate request
40470EA9C87F0000:error:4000000C:tpm2::cannot load key::-1:708 tpm:parameter(2):value is out of range or is not correct for the context
40470EA9C87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.9/crypto/asn1/a_verify.c:196:

I tried running the the PKI test script from this repo to try and make sure it wasn't something stupid I was doing, and it threw somewhat different error. Same a_verify.c file errored, different line.

paul@paul-desktop ~/workspace/tpm2-openssl/test/rsa_pki $ ./rsa_pki.sh 
++ dirname ./rsa_pki.sh
+ export PKIDIR=.
+ PKIDIR=.
+ mkdir -p testdb/ca/root-ca/private testdb/ca/root-ca/db testdb/crl testdb/certs
+ chmod 700 testdb/ca/root-ca/private
+ cp /dev/null testdb/ca/root-ca/db/root-ca.db
+ cp /dev/null testdb/ca/root-ca/db/root-ca.db.attr
+ echo 01
+ echo 01
+ openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -config ./etc/root-ca.conf -out testdb/ca/root-ca.csr -keyout testdb/ca/root-ca/private/root-ca.key
Warning: generating random key material may take a long time
if the system has a poor entropy source
-----
+ openssl ca -provider tpm2 -provider default -propquery '?provider=tpm2' -selfsign -config ./etc/root-ca.conf -batch -in testdb/ca/root-ca.csr -out testdb/ca/root-ca.crt -extensions root_ca_ext
Using configuration from ./etc/root-ca.conf
40D7FE3E7B7F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../openssl-3.0.9/crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
Check that the request matches the signature
WARNING:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error 
ERROR:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x00000902) 
Signature did not match the certificate request
40D7FE3E7B7F0000:error:40000013:tpm2::cannot duplicate context::-1:2306 tpm:warn(2.0): out of memory for object contexts
40D7FE3E7B7F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.9/crypto/asn1/a_verify.c:217:
+ '[' -f testdb/ca/root-ca.crt ']'

I also just tried using openssl 3.1.2, same results.

No idea if it's something I'm doing wrong, a configuration problem with my system, or a potential bug. Any help would be appreciated, I should be able to run any troubleshooting steps required, though I'm not very experienced with openssl beyond basic usage.

Steps to create CA private key, CA cert, and sign CSR:

openssl genpkey -provider tpm2 -provider default -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pkeyopt user-auth:ASDF -out /etc/pki/CA/private/cakey.pem
openssl req -provider tpm2 -provider default -x509 -subj '/C=US/O=Aiton/OU=AitonCertificateAuthoritah/CN=AitonPrimaryCertificateAuthority' -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
openssl ca -provider tpm2 -provider default -propquery '?provider=tpm2' -batch -in /etc/pki/CA/CSRs/paul-desktop.local.server.csr -cert /etc/pki/CA/cacert.pem -out /etc/pki/CA/certs/paul-desktop.local.server.pem
@tanginik
Copy link

@paultaiton you got any update on above error?

@paultaiton
Copy link
Author

paultaiton commented Oct 25, 2023
edited
Loading

@paultaiton you got any update on above error?

Not yet @tanginik

@gotthardp
Copy link
Contributor

I made a simplest CSR test/example possible: https://github.com/tpm2-software/tpm2-openssl/blob/master/test/rsa_genpkey_x509_csr.sh

Please check whether this works for you. I does for me.

@zhuguang11111
Copy link

Hi @paultaiton , any update on above error until now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gotthardp @zhuguang11111 @paultaiton @tanginik