CSR generation failed in openssl-3.0.9 version due to the authorization HMAC check failed and DA counter incremented

[sumanth797]

Hi,

We are trying to generate the CSR file using openssl command with tpm2 and this is what we got after running it,

sudo openssl req -new -provider-path /usr/lib64/ossl-packages -provider tpm2 -key handle:0x81010002 -out test2.csr -config csr.cnf

output after running the above command PROVIDER INIT STORE/OBJECT OPEN handle:0x81010002 STORE/OBJECT SET_PARAMS [ expect ] STORE/OBJECT LOAD STORE/OBJECT LOAD pkey STORE/OBJECT LOAD found RSA RSA LOAD RSA GET_PARAMS [ bits security-bits max-size ] RSA HAS 1 STORE/OBJECT CLOSE ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER rsa pkcs1/der DOES_SELECTION 0x86 ENCODER rsa pkcs1/pem DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/der ENCODE 0x86 RSA GET_PARAMS [ default-digest mandatory-digest ] RSA GET_PARAMS [ default-digest mandatory-digest ] SIGN DIGEST_INIT rsa MD=(null) SIGN GET_CTX_PARAMS [ algorithm-id ] SIGN DIGEST_SIGN estimate SIGN DIGEST_SIGN WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x0000098e) 405167A7BB7F0000:error:4000000F:tpm2:tpm2_signature_digest_sign:cannot sign:src/tpm2-provider-signature.c:506:2446 tpm:session(1):the authorization HMAC check failed and DA counter incremented 405167A7BB7F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:284: RSA FREE PROVIDER TEARDOWN

It is throwing this the authorization HMAC check failed and DA counter incremented

Before generating the CSR, we are running these commands,

For enabling tpm clear

tpm2_changeauth -c o -p Z75rVG1VY7DplNA1

sudo tpm2_getcap properties-variable

TPM2_PT_PERMANENT: ownerAuthSet: 0 endorsementAuthSet: 1 lockoutAuthSet: 1 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 1 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x2 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x5 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x5 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0xB TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xC TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF TPM2_PT_LOADED_CURVES: 0x3 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0xE10 TPM2_PT_LOCKOUT_RECOVERY: 0x708 TPM2_PT_NV_WRITE_RECOVERY: 0x0 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0

For tpm clear

sudo tpm2_clear N1TXvZ9GCHary5Xq

sudo tpm2_getcap properties-variable

TPM2_PT_PERMANENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 1 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x2 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x5 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x5 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0xB TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xC TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF TPM2_PT_LOADED_CURVES: 0x3 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0xA TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_NV_WRITE_RECOVERY: 0x0 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0

For tpm initialize

sudo tpm2_changeauth -c endorsement 7aAGPBMlm1VRPNlH

sudo tpm2_dictionarylockout -s -n 32 -t 3600 -l 1800

sudo tpm2_changeauth -c lockout N1TXvZ9GCHary5Xq

sudo tpm2_changeauth -c owner Z75rVG1VY7DplNA1

sudo tpm2_getcap properties-variable

TPM2_PT_PERMANENT: ownerAuthSet: 1 endorsementAuthSet: 1 lockoutAuthSet: 1 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 1 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x2 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x5 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x5 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0xB TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xC TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF TPM2_PT_LOADED_CURVES: 0x3 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0xE10 TPM2_PT_LOCKOUT_RECOVERY: 0x708 TPM2_PT_NV_WRITE_RECOVERY: 0x0 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0

For generation of vendor keys

echo pL7R0jPKaVTf3SA2P660A9hojsOGCiXfsls61fr9xjyV4OCcyV5pEg4AQE6a5ivldNaXpJZ8EpXajDw1f1AQibVi5QLkmzcRWOgZ9reoENbZmu0vTtQ6e1DlADSKuLi9AJLTUC34t6idrdEjyg2akneZ5INDsrtZ97Vhqo5zhcDEbO9yhKiOAIsub9fz2J2RMQX6ednsXqdjH6B1EWOtAx2oPav6uZkGeaOc7GoAzA4KI2hQEoZn1GxiprivZN5 |tpm2 createprimary -C e -G rsa2048 -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' -u - -c endorsementkey.ctx -P 7aAGPBMlm1VRPNlH -p e5xGX7sEgVrfDxkg

sudo tpm2_evictcontrol -C o -c endorsementkey.ctx 0x81010001 -P Z75rVG1VY7DplNA1

sudo tpm2_getcap handles-persistent | grep 0x81010001

sudo tpm2_create -C 0x81010001 -a 'fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign' -u vendorkey.pub -r vendorkey.priv -P e5xGX7sEgVrfDxkg -p ynM67sdZjEJesWk6

sudo tpm2_load -C 0x81010001 -u vendorkey.pub -r vendorkey.priv -c vendorkey.ctx -P e5xGX7sEgVrfDxkg

sudo tpm2_evictcontrol -C o -c vendorkey.ctx 0x81010002 -P Z75rVG1VY7DplNA1

sudo tpm2_getcap properties-variable

TPM2_PT_PERMANENT: ownerAuthSet: 1 endorsementAuthSet: 1 lockoutAuthSet: 1 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 1 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x2 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x5 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x5 TPM2_PT_HR_PERSISTENT: 0x2 TPM2_PT_HR_PERSISTENT_AVAIL: 0x9 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xC TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF TPM2_PT_LOADED_CURVES: 0x3 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0xE10 TPM2_PT_LOCKOUT_RECOVERY: 0x708 TPM2_PT_NV_WRITE_RECOVERY: 0x0 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0

And then we are generating the CSR, where it is failing. Can you help us to resolve this issue

we are using openssl-3.0.9 version

[qq8512852]

Hey Sir, I met the same problem. How to fix it?

[JuergenReppSIT]

If the key has an auth value you have to use the handle as described in "Using Key Handle" (https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md)