tpm2-tss icon indicating copy to clipboard operation
tpm2-tss copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Make FAPI respect PROXY env vars for Certificate retrieval (see bottom)

Open ishfx opened this issue 3 years ago • 6 comments

Hello,

I'm writing a TPM POC to test the TPM2 functions using the FAPI lib.

The POC code works fine on a TPM2 simulator but when used on an actual TPM2, i get an error while provisioning (Fapi_Provision call). I've tried switching between the default profiles P_ECCP256SHA256 and P_RSA2048SHA256 but the error persists.

Here are the logs:

WARNING:fapi:src/tss2-fapi/ifapi_io.c:340:ifapi_io_check_create_dir() Directory /tmp/tmpng9at_hk/policy does not exist, creating
ERROR:fapi:src/tss2-fapi/fapi_crypto.c:1930:ifapi_verify_ek_cert() ErrorCode (0x00060001) Failed to create intermediate certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:830:Fapi_Provision_Finish() ErrorCode (0x00060001) Verify EK certificate
ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (ff).
ERROR:esys:src/tss2-esys/esys_iutil.c:1105:esys_GetResourceObject() Unknown ESYS handle. ErrorCode (0x0007000b)
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:138:Esys_FlushContext_Async() flushHandle unknown. ErrorCode (0x0007000b)
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x0007000b)
ERROR:fapi:src/tss2-fapi/fapi_util.c:1079:ifapi_session_clean() Cleanup session failed.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x00060001) Provision

Any ideas on why i'm getting this error ? Do i need to reset the TPM ?

Thanks in advance!

ishfx avatar Jun 14 '21 16:06 ishfx

@joholl or @AndreasFuchsSIT ?

williamcroberts avatar Jun 14 '21 18:06 williamcroberts

The error occurs when the DER intermediate certificate (retrieved with URL from EK cert) is converted to X509. As a workaround to skip the certificate check you could add: "ek_cert_less": "yes", to the used profile. If you could add an EK certificate it would be possible to investigate the problem. If the tpm tools are installed you can get the certificates with: tpm2_getekcertificate -o cert1.der -o cert2.der and convert them to pem openssl x509 --inform DER --outform PEM -in cert1.der -out cert1.pem

JuergenReppSIT avatar Jun 15 '21 08:06 JuergenReppSIT

The error occurs when the DER intermediate certificate (retrieved with URL from EK cert) is converted to X509. As a workaround to skip the certificate check you could add: "ek_cert_less": "yes", to the used profile.

You're right! Itworked like a charm, thank you! I completely forgot that i was setting this option when using the simulator ...

If you could add an EK certificate it would be possible to investigate the problem. If the tpm tools are installed you can get the certificates with: tpm2_getekcertificate -o cert1.der -o cert2.der and convert them to pem openssl x509 --inform DER --outform PEM -in cert1.der -out cert1.pem

Here are the EK certificates in PEM format (from my infineon TPM2). (Is it safe to publicly share them ? I suppose so because it's just a certificate. I'm not familiar yet with all these TPM keys and certificates)

  • cert1.pem (RSA ?)
-----BEGIN CERTIFICATE-----
MIIFijCCA3KgAwIBAgIEMBziDjANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJE
RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApP
UFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAg
UlNBIENBIDA0MTAgFw0xOTA1MTcxOTAyNDFaGA85OTk5MTIzMTIzNTk1OVowADCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJbTh9Rl/KdqdU1QIgGmxOii
nKece+2QzDn7IMpiliNaMAnz502cN5KklhM3w5rCzqjQAK5Wkk7ktUeEQ+BXXYgE
xmLOR1TGBoP876st7Wg9qzrpB/jQJ8+T0vuI+SfIJc61tHK8/1y0RwJIYbwV/nzl
jVMq8Q8Wu8aRMjo84Nrm5C2QsOyqfIYZj38XWFnj/LmlQccEJu5OT/rn/+cdut5O
g+2AIFzX2COimTiNUM5AoQxibIj+6+ddG1JeTRgn404OhkypYQDTG2UezamHBssX
zUv3QoB/PbG4SQfbI+9VL6GbQUn0ju75GTG7VpvGWPeBLQMDF5LTBbDpjp7EGwUC
AwEAAaOCAZIwggGOMFsGCCsGAQUFBwEBBE8wTTBLBggrBgEFBQcwAoY/aHR0cDov
L3BraS5pbmZpbmVvbi5jb20vT3B0aWdhUnNhTWZyQ0EwNDEvT3B0aWdhUnNhTWZy
Q0EwNDEuY3J0MA4GA1UdDwEB/wQEAwIAIDBRBgNVHREBAf8ERzBFpEMwQTEWMBQG
BWeBBQIBDAtpZDo0OTQ2NTgwMDETMBEGBWeBBQICDAhTTE0gOTY3MDESMBAGBWeB
BQIDDAdpZDowRDBCMAwGA1UdEwEB/wQCMAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0
cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhUnNhTWZyQ0EwNDEvT3B0aWdhUnNh
TWZyQ0EwNDEuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQBFAEwHwYDVR0jBBgwFoAU
Vva1lzljARhbkdgArO6RYhnjprswEAYDVR0lBAkwBwYFZ4EFCAEwIgYDVR0JBBsw
GTAXBgVngQUCEDEOMAwMAzIuMAIBAAICAIowDQYJKoZIhvcNAQELBQADggIBAHBs
BJ3d/JrcMMMArXQPVxRTCBU/oqPuNam5uzviBloj1Sw+pB8ydkyMCwLs7h1wNkIu
iRtIzsrZz+RYre+JgFkE4lDI2NR6mqy+KlK+MIjpsZcX/hE6NeYSqpc6XBXeFN4k
ymgMA8OKpZ3hAa0uuh+LhcK2R3zrJdWRChksnfiuexFwO4BP2NhGAJcnfjPuNpcW
bviOgFfpvnK1GCFaSGAzKKPMNFS42jXJmDdc8dPQJIl0PnJ179opMZsfyNeyru17
B/tn38Q3kx25coTM+nMJ0/sdbhlYOrHABMpUli5QvJdk0iFGlp6HnUDkiPL4SLEO
xhRncXVm9mnjoeOnt0mTNwbqRDxB+9fg/li84yklWHoI2Gq+769wDuWju+355rrJ
2CfZ/921plI+e2VDL0RjpQRCAZq63ucpybCDW0WY6lM53IHs3nxlrriDWMuPPsbJ
HLrCknqQ5bZR+DNuvfBbrGSZOYz+eVEPhbFR4FrXHmojO+hTTaKXKssJlxpifmJc
bVNTAros/IOKfD1xq8I5KEJUj2zt9rXoaL3/S+UmfYh8+Lws7bhuJF6cXFSVPe6o
KyGjOfV2h2bIxft01IbE8KXyvV8dpPZwLJxS3xRfDY0FPS6zcFV+Nlw8l9Q3FQ9Q
/0k8OuOhmbUs2+v1loKhqdwuMow2Y4CJDbzECnyA
-----END CERTIFICATE-----
  • cert2.pem (ECC ?)
-----BEGIN CERTIFICATE-----
MIIDHjCCAqSgAwIBAgIEY3H6HTAKBggqhkjOPQQDAzB2MQswCQYDVQQGEwJERTEh
MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApPUFRJ
R0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAgRUND
IENBIDA0MTAgFw0xOTA1MTcxOTAyMzdaGA85OTk5MTIzMTIzNTk1OVowADBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABESmg3g+2s4H4r3279vwIMx+7t8H1KotZtvI
TTErKN8WAXQoK2KIaVK/qpQhX8MHxJxQATDq2fB8Cli1csyRLUWjggGSMIIBjjBb
BggrBgEFBQcBAQRPME0wSwYIKwYBBQUHMAKGP2h0dHA6Ly9wa2kuaW5maW5lb24u
Y29tL09wdGlnYUVjY01mckNBMDQxL09wdGlnYUVjY01mckNBMDQxLmNydDAOBgNV
HQ8BAf8EBAMCAAgwUQYDVR0RAQH/BEcwRaRDMEExFjAUBgVngQUCAQwLaWQ6NDk0
NjU4MDAxEzARBgVngQUCAgwIU0xNIDk2NzAxEjAQBgVngQUCAwwHaWQ6MEQwQjAM
BgNVHRMBAf8EAjAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9wa2kuaW5maW5l
b24uY29tL09wdGlnYUVjY01mckNBMDQxL09wdGlnYUVjY01mckNBMDQxLmNybDAV
BgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaAFBwyRK/0EsRTBMDIdgns
RecewlYQMBAGA1UdJQQJMAcGBWeBBQgBMCIGA1UdCQQbMBkwFwYFZ4EFAhAxDjAM
DAMyLjACAQACAgCKMAoGCCqGSM49BAMDA2gAMGUCMBOOqnZu6DBW0LqBmbCoO3OU
ooQOnyr95ToS6UWjDocLP2AV1spWvAQVZTKNxPR8tQIxAI0/9XUMVfVEOvea5Y53
IsjF97C+npMUL9frfmjm6iQVHJ4Ry7tcDA2j7DWMpqeWwg==
-----END CERTIFICATE-----

ishfx avatar Jun 15 '21 09:06 ishfx

Thank you for uploading the certificates. I did also test it with an Infineon TPM and provisioning worked for me. The only difference was the Link for retrieving the intermediate certificate: your TPM: http://pki.infineon.com/OptigaEccMfrCA041/OptigaEccMfrCA041.crl my TPM: http://pki.infineon.com/OptigaEccMfrCA042/OptigaEccMfrCA042.crt To check whether the conversion works I have replaced my URL with your URL in the debugger. Your intermediate certificate was downloaded and the conversion to X509 worked without problems. To see what happens in you case I have created a PR to get more information related to the certificate verification (#2096). After the PR is merged the debugging output can be activated with: export TSS2_LOG=fapi+debug (or meanwhile you could use the branch fapi-add-debug-log-verify-ek-cert from https://github.com/JuergenReppSIT/tpm2-tss)

JuergenReppSIT avatar Jun 15 '21 12:06 JuergenReppSIT

Thank you for all these details. Much appreciated!

I wasn't aware that the FAPI lib needs an internet connection (that's my understanding since it needs to retrieve certificates from a remote server). Maybe that's the issue, my TPM machine is behind a proxy, the HTTP_PROXY and HTTPS_PROXY env vars are set but i don't know if the fapi lib uses them.

I'll add your additional logs as soon as i can and keep you posted.

ishfx avatar Jun 15 '21 13:06 ishfx

That's a good point. We just use libcurl and hope it does everything correctly... I have no idea if it repects said env vars.

AndreasFuchsTPM avatar Jun 18 '21 08:06 AndreasFuchsTPM