tpm2-openssl
tpm2-openssl copied to clipboard
tpm2-software
Cannot CA sign CSRs, failures with tpm2 provider.
I'm on Gentoo with openssl-3.0.9-r2 and tpm2-openssl-1.1.1, tpm2-tss-4.0.1, and am failing to sign CSRs using a CA with a key based on tpm2 provider. I can use the same key to decrypt files run through its pubkey, but CA fails. This same TPM was previously working for CA signing on 1.1.1u with tpm2-tss engine. Everything was regenerated for new openssl version and tpm2 provider. Attempts to sign CSRs result in the following
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
WARNING:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:314:Esys_LoadExternal_Finish() Received TPM Error
ERROR:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:108:Esys_LoadExternal() Esys Finish ErrorCode (0x000002c4)
Signature did not match the certificate request
40470EA9C87F0000:error:4000000C:tpm2::cannot load key::-1:708 tpm:parameter(2):value is out of range or is not correct for the context
40470EA9C87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.9/crypto/asn1/a_verify.c:196:
I tried running the the PKI test script from this repo to try and make sure it wasn't something stupid I was doing, and it threw somewhat different error. Same a_verify.c file errored, different line.
paul@paul-desktop ~/workspace/tpm2-openssl/test/rsa_pki $ ./rsa_pki.sh
++ dirname ./rsa_pki.sh
+ export PKIDIR=.
+ PKIDIR=.
+ mkdir -p testdb/ca/root-ca/private testdb/ca/root-ca/db testdb/crl testdb/certs
+ chmod 700 testdb/ca/root-ca/private
+ cp /dev/null testdb/ca/root-ca/db/root-ca.db
+ cp /dev/null testdb/ca/root-ca/db/root-ca.db.attr
+ echo 01
+ echo 01
+ openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -config ./etc/root-ca.conf -out testdb/ca/root-ca.csr -keyout testdb/ca/root-ca/private/root-ca.key
Warning: generating random key material may take a long time
if the system has a poor entropy source
-----
+ openssl ca -provider tpm2 -provider default -propquery '?provider=tpm2' -selfsign -config ./etc/root-ca.conf -batch -in testdb/ca/root-ca.csr -out testdb/ca/root-ca.crt -extensions root_ca_ext
Using configuration from ./etc/root-ca.conf
40D7FE3E7B7F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../openssl-3.0.9/crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
Check that the request matches the signature
WARNING:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error
ERROR:esys:/var/tmp/portage/app-crypt/tpm2-tss-4.0.1/work/tpm2-tss-4.0.1/src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x00000902)
Signature did not match the certificate request
40D7FE3E7B7F0000:error:40000013:tpm2::cannot duplicate context::-1:2306 tpm:warn(2.0): out of memory for object contexts
40D7FE3E7B7F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.9/crypto/asn1/a_verify.c:217:
+ '[' -f testdb/ca/root-ca.crt ']'
I also just tried using openssl 3.1.2, same results.
No idea if it's something I'm doing wrong, a configuration problem with my system, or a potential bug. Any help would be appreciated, I should be able to run any troubleshooting steps required, though I'm not very experienced with openssl beyond basic usage.
Steps to create CA private key, CA cert, and sign CSR:
openssl genpkey -provider tpm2 -provider default -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pkeyopt user-auth:ASDF -out /etc/pki/CA/private/cakey.pem
openssl req -provider tpm2 -provider default -x509 -subj '/C=US/O=Aiton/OU=AitonCertificateAuthoritah/CN=AitonPrimaryCertificateAuthority' -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
openssl ca -provider tpm2 -provider default -propquery '?provider=tpm2' -batch -in /etc/pki/CA/CSRs/paul-desktop.local.server.csr -cert /etc/pki/CA/cacert.pem -out /etc/pki/CA/certs/paul-desktop.local.server.pem
I made a simplest CSR test/example possible: https://github.com/tpm2-software/tpm2-openssl/blob/master/test/rsa_genpkey_x509_csr.sh
Please check whether this works for you. I does for me.
