`ssh-keygen -D libtpm2-pk11.so` returns multiple keys, how to distinguish them?

[laanwj]

I generated and made persistent a TPM key according to the steps in the wiki.

However, it turns out that this TPM already contains a few different keys these are also listed;

$ tpm2_listpersistent
- { persistent-handle: 0x81000001, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt }
- { persistent-handle: 0x81000002, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|sign }
- { persistent-handle: 0x81010001, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
- { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign }

$ ssh-keygen -D libtpm2-pk11.so
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...

The keys have no identifiers at the end, so I cannot distinguish them. However only the first of these keys (I assume this is the one I generated for the purpose, 0x81010010) actually works with ssh. The others, if used, give an error at connection time:

C_Sign failed: 5
sign_and_send_pubkey: signing failed: error in libcrypto

Which makes sense, as they have different policies.

[laanwj]

Potential problem from a privacy point of view (esp. if the others contain some platform key): all these keys are offered to the host connected to, when the PKCS#11 library is specified:

debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
...

[praetp]

I am also having this 'error in libcrypto' when ssh'ing even though my key has the same attributes as yours... Any clues ?