tpm2-pkcs11
tpm2-pkcs11 copied to clipboard
tpm2_ptool does not recognize parent handle correctly
Hi all,
Im referring to this issue. https://github.com/tpm2-software/tpm2-tss-engine/issues/221
Im using tpm2tss-genkey
to derive a PEM representation from some key material I generated via https://github.com/google/go-attestation. Therefore I export the public and private portions according to google/go-tpm#233 and then do tpm2tss-genkey -u pubktpmmarshal -r pktpmmarshal -P 0x81000001 go-key.pem
. The key generally seems fine, but I found that the parent part probably has an overflow. cat go-key.pem | openssl asn1parse
yields:
0:d=0 hl=4 l= 498 cons: SEQUENCE 4:d=1 hl=2 l= 6 prim: OBJECT :2.23.133.10.1.3 12:d=1 hl=2 l= 3 cons: cont [ 0 ] 14:d=2 hl=2 l= 1 prim: BOOLEAN :1 17:d=1 hl=2 l= 4 prim: INTEGER :-7EFFFFFF 23:d=1 hl=4 l= 280 prim: OCTET STRING [HEX > DUMP]:01160001000B0004007200000010001008000000000001009203AB176AD723B0B51BBE717115558F5AFC48A8171F81E4925CF3212E9915C506F6711ECF4957BDE2DBD2EE26856776083FBC8A26BCA37C73392E4CBC5E5F7C9FCEC13AED9EF7F39B7CC18A95EA1BFE7EE95BA7FB1CEF9CE42B07974DE0DC23A89FCF603A1523691FF877DD8F3623C6A2FE1C506CCDA2530C99965C36BD0C5CD43C750BE3F7F6772387F4779A150E427C843CDA73C6575EABA53E6FF1E3A908EC7D6B3BF78F45B67C7C814F11F863E2E40D04DC0E02E9D49A6C265C236B7DB77064037F5D9D5007DF56AB1D45A1EF709274F27A6AADA0CAA1DD0D865115775EBAFD5BEA12AD48125F364210691671F89C070FB6A405249533567BE35654FAA7 307:d=1 hl=3 l= 192 prim: OCTET STRING [HEX > DUMP]:00BE0020993A1BD55AF1AA2C50FAE080217EE72DEBE672330ED6C3336D98B629ED6AD67300106370621C91E5A0484808E03CE9B0D20D3BB6A312CE8CE694A346616A787F85F6456A7C55A2011406D5004E043358946F855B8F2C73F46529A880CE0F067C8E88880944B8691272DA93E7F842C3F83982A6B0432FF90B9F32459F57E005E71EFC4BA6F4F3D15ECDE07BF09756874990DB3453A8858351650A75D2C439D3C536FA1DA5910D5C19D454C196C06A13EEC63FB0908A22ED2ADD3D17FB
I intend to link this key to a token in https://github.com/tpm2-software/tpm2-pkcs11 with tpm2_ptool, but since the parent is faulty, I get (tpm2_ptool link --path /usr/share/tpmpkcs11store --label=mytoken2 --userpin=myuserpin --key-label="link-key" go-key.pem
):
The primary object (id: 5) is persistent and the TSS Engine key does not have a persistent parent, got: 0x-7effffff
It seems that tpm2_ptool does not interpret the parent handle correctly.
Any help is appreciated. Thanks in advance!
In tpm2_ptool
, the parent handle is decoded in https://github.com/tpm2-software/tpm2-pkcs11/blob/8a4ec0d09b76dfbdea4386f48b6ed0f6bc5cee3c/tools/tpm2_pkcs11/commandlets_keys.py#L606
A possible fix can consist in making sure the value is non-negative, for example by adding to create_from_tss_key
:
iff --git a/tools/tpm2_pkcs11/commandlets_keys.py b/tools/tpm2_pkcs11/commandlets_keys.py
index dc49c5946624..b4dd962ad012 100644
--- a/tools/tpm2_pkcs11/commandlets_keys.py
+++ b/tools/tpm2_pkcs11/commandlets_keys.py
@@ -607,6 +607,10 @@ class LinkCommand(NewKeyCommandBase):
pubbytes = bytes(tss2_privkey['pubkey'])
privbytes = bytes(tss2_privkey['privkey'])
+ # Transform signed 32-bit integers into unsigned int
+ if -0x80000000 <= phandle < 0:
+ phandle &= 0xffffffff
+
pid = pobj['id']
pobj_config = yaml.safe_load(pobj['config'])
is_transient = pobj_config['transient']
Does your use-case work with this patch?
I wonder if we can just read it out with
import struct
phandle = struct.unpack('L', tss2_privkey['parent']);
Does anyone know if this patch works?