tpm2_ptool does not recognize parent handle correctly

[kuhlmannmarkus]

Hi all,

Im referring to this issue. https://github.com/tpm2-software/tpm2-tss-engine/issues/221

Im using tpm2tss-genkey to derive a PEM representation from some key material I generated via https://github.com/google/go-attestation. Therefore I export the public and private portions according to google/go-tpm#233 and then do tpm2tss-genkey -u pubktpmmarshal -r pktpmmarshal -P 0x81000001 go-key.pem. The key generally seems fine, but I found that the parent part probably has an overflow. cat go-key.pem | openssl asn1parse yields:

0:d=0 hl=4 l= 498 cons: SEQUENCE 4:d=1 hl=2 l= 6 prim: OBJECT :2.23.133.10.1.3 12:d=1 hl=2 l= 3 cons: cont [ 0 ] 14:d=2 hl=2 l= 1 prim: BOOLEAN :1 17:d=1 hl=2 l= 4 prim: INTEGER :-7EFFFFFF 23:d=1 hl=4 l= 280 prim: OCTET STRING [HEX > DUMP]:01160001000B0004007200000010001008000000000001009203AB176AD723B0B51BBE717115558F5AFC48A8171F81E4925CF3212E9915C506F6711ECF4957BDE2DBD2EE26856776083FBC8A26BCA37C73392E4CBC5E5F7C9FCEC13AED9EF7F39B7CC18A95EA1BFE7EE95BA7FB1CEF9CE42B07974DE0DC23A89FCF603A1523691FF877DD8F3623C6A2FE1C506CCDA2530C99965C36BD0C5CD43C750BE3F7F6772387F4779A150E427C843CDA73C6575EABA53E6FF1E3A908EC7D6B3BF78F45B67C7C814F11F863E2E40D04DC0E02E9D49A6C265C236B7DB77064037F5D9D5007DF56AB1D45A1EF709274F27A6AADA0CAA1DD0D865115775EBAFD5BEA12AD48125F364210691671F89C070FB6A405249533567BE35654FAA7 307:d=1 hl=3 l= 192 prim: OCTET STRING [HEX > DUMP]:00BE0020993A1BD55AF1AA2C50FAE080217EE72DEBE672330ED6C3336D98B629ED6AD67300106370621C91E5A0484808E03CE9B0D20D3BB6A312CE8CE694A346616A787F85F6456A7C55A2011406D5004E043358946F855B8F2C73F46529A880CE0F067C8E88880944B8691272DA93E7F842C3F83982A6B0432FF90B9F32459F57E005E71EFC4BA6F4F3D15ECDE07BF09756874990DB3453A8858351650A75D2C439D3C536FA1DA5910D5C19D454C196C06A13EEC63FB0908A22ED2ADD3D17FB

I intend to link this key to a token in https://github.com/tpm2-software/tpm2-pkcs11 with tpm2_ptool, but since the parent is faulty, I get (tpm2_ptool link --path /usr/share/tpmpkcs11store --label=mytoken2 --userpin=myuserpin --key-label="link-key" go-key.pem):

The primary object (id: 5) is persistent and the TSS Engine key does not have a persistent parent, got: 0x-7effffff

It seems that tpm2_ptool does not interpret the parent handle correctly.

Any help is appreciated. Thanks in advance!

[niooss-ledger]

In tpm2_ptool, the parent handle is decoded in https://github.com/tpm2-software/tpm2-pkcs11/blob/8a4ec0d09b76dfbdea4386f48b6ed0f6bc5cee3c/tools/tpm2_pkcs11/commandlets_keys.py#L606

A possible fix can consist in making sure the value is non-negative, for example by adding to create_from_tss_key:

iff --git a/tools/tpm2_pkcs11/commandlets_keys.py b/tools/tpm2_pkcs11/commandlets_keys.py
index dc49c5946624..b4dd962ad012 100644
--- a/tools/tpm2_pkcs11/commandlets_keys.py
+++ b/tools/tpm2_pkcs11/commandlets_keys.py
@@ -607,6 +607,10 @@ class LinkCommand(NewKeyCommandBase):
         pubbytes = bytes(tss2_privkey['pubkey'])
         privbytes = bytes(tss2_privkey['privkey'])
 
+        # Transform signed 32-bit integers into unsigned int
+        if -0x80000000 <= phandle < 0:
+            phandle &= 0xffffffff
+
         pid = pobj['id']
         pobj_config = yaml.safe_load(pobj['config'])
         is_transient = pobj_config['transient']

Does your use-case work with this patch?

[williamcroberts]

I wonder if we can just read it out with

import struct
phandle = struct.unpack('L',  tss2_privkey['parent']);

[williamcroberts]

Does anyone know if this patch works?