Public bug reported: Problem:
We have prepared an rsa2048 keypair in tpm2 and would like to access it using the pkcs11 engine of OpenSSL which fails as described below. Please note that the error messages pasted below look somewhat related to https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1983160 Is the fix mentioned in that bug already published or could this be a different error? Setup: The TPM2 device: ~# dmesg | grep TPM [ 0.006201] ACPI: TPM2 0x000000007EB75000 00004C (v04 BOCHS BXPCTPM2 00000001 BXPC 00000001) [ 0.006209] ACPI: Reserving TPM2 table memory at [mem 0x7eb75000-0x7eb7504b] [ 0.372512] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1) The RSA keypair in TPM2: ~# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so --login --list-objects WARNING: Getting tokens from fapi backend failed. Using slot 0 with a present token (0x1) Logging in to "testlabel". Please enter User PIN: **** Private Key Object; RSA label: ID: 31323731386436643066616361643434 Usage: decrypt, sign Access: sensitive, always sensitive, never extractable, local Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS Public Key Object; RSA 2048 bits label: ID: 31323731386436643066616361643434 Usage: encrypt, verify Access: local Here the openssl.cnf: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 # See also note on dynamic_path = ... below MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so init = 0 [ req ] distinguished_name = req_dn string_mask = utf8only utf8 = yes basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash req_extensions = v3_req [ v3_req ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, clientAuth [ req_dn ] commonName = Test Subject We test the pcks11 engine availability: ~# openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] Now we try using OpenSSL to generate a CSR: ~# openssl req -config ./openssl.cnf -verbose -new -engine pkcs11 -keyform engine -key slot_1-id_38636232383264363035316365623962 -out ./test.csr -subj /CN=some.test.name Results in an error: Engine "pkcs11" set. Using configuration from ./openssl.cnf WARNING: Getting tokens from fapi backend failed. Enter PKCS#11 token PIN for openvpn: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:754:iesys_cryptossl_pk_encrypt() ErrorCode (0x00070001) Could not create rsa key. ERROR:esys:src/tss2-esys/esys_iutil.c:521:iesys_compute_encrypted_salt() During encryption. ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:226:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:113:Esys_StartAuthSession() Error in async function ErrorCode (0x00070001) ERROR: Esys_StartAuthSession: esapi:Catch all for all errors not otherwise specified ERROR: Could not start Auth Session with the TPM. ERROR: Error unsealing wrapping key Login failed Login to token failed, returning NULL... PKCS11_get_private_key returned NULL Could not read private key from org.openssl.engine:pkcs11:slot_1-id_38636232383264363035316365623962 80DB703FD47F0000:error:03000096:digital envelope routines:fromdata_init:operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354: 80DB703FD47F0000:error:41800005:PKCS#11 module:ERR_CKR_error:General Error:p11_slot.c:245: 80DB703FD47F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79: On a sidenote, we do no specify dynamic_path in the openssl.cnf. If we set in openssl.cnf: dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so then we receive a different error: ... 807B8B140C7F0000:error:1280006A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_dlfcn.c:188:symname(EVP_PKEY_base_id): /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so: undefined symbol: EVP_PKEY_base_id ... Additional information: Release: 22.04.1 LTS (Jammy Jellyfish) Packages: libengine-pkcs11-openssl:amd64 0.4.11-1build3 libp11-3:amd64 0.4.11-1build3 p11-kit 0.24.0-6build1 openssl 3.0.2-0ubuntu1.6 tpm2-openssl:amd64 1.0.1-1 libtpm2-pkcs11-1 1.7.0-1ubuntu1 ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1983665 Title: Problem loading private RSA key with pkcs11 engine, tpm2 module Status in openssl package in Ubuntu: New Bug description: Problem: We have prepared an rsa2048 keypair in tpm2 and would like to access it using the pkcs11 engine of OpenSSL which fails as described below. Please note that the error messages pasted below look somewhat related to https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1983160 Is the fix mentioned in that bug already published or could this be a different error? Setup: The TPM2 device: ~# dmesg | grep TPM [ 0.006201] ACPI: TPM2 0x000000007EB75000 00004C (v04 BOCHS BXPCTPM2 00000001 BXPC 00000001) [ 0.006209] ACPI: Reserving TPM2 table memory at [mem 0x7eb75000-0x7eb7504b] [ 0.372512] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1) The RSA keypair in TPM2: ~# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so --login --list-objects WARNING: Getting tokens from fapi backend failed. Using slot 0 with a present token (0x1) Logging in to "testlabel". Please enter User PIN: **** Private Key Object; RSA label: ID: 31323731386436643066616361643434 Usage: decrypt, sign Access: sensitive, always sensitive, never extractable, local Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS Public Key Object; RSA 2048 bits label: ID: 31323731386436643066616361643434 Usage: encrypt, verify Access: local Here the openssl.cnf: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 # See also note on dynamic_path = ... below MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so init = 0 [ req ] distinguished_name = req_dn string_mask = utf8only utf8 = yes basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash req_extensions = v3_req [ v3_req ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, clientAuth [ req_dn ] commonName = Test Subject We test the pcks11 engine availability: ~# openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] Now we try using OpenSSL to generate a CSR: ~# openssl req -config ./openssl.cnf -verbose -new -engine pkcs11 -keyform engine -key slot_1-id_38636232383264363035316365623962 -out ./test.csr -subj /CN=some.test.name Results in an error: Engine "pkcs11" set. Using configuration from ./openssl.cnf WARNING: Getting tokens from fapi backend failed. Enter PKCS#11 token PIN for openvpn: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:754:iesys_cryptossl_pk_encrypt() ErrorCode (0x00070001) Could not create rsa key. ERROR:esys:src/tss2-esys/esys_iutil.c:521:iesys_compute_encrypted_salt() During encryption. ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:226:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:113:Esys_StartAuthSession() Error in async function ErrorCode (0x00070001) ERROR: Esys_StartAuthSession: esapi:Catch all for all errors not otherwise specified ERROR: Could not start Auth Session with the TPM. ERROR: Error unsealing wrapping key Login failed Login to token failed, returning NULL... PKCS11_get_private_key returned NULL Could not read private key from org.openssl.engine:pkcs11:slot_1-id_38636232383264363035316365623962 80DB703FD47F0000:error:03000096:digital envelope routines:fromdata_init:operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354: 80DB703FD47F0000:error:41800005:PKCS#11 module:ERR_CKR_error:General Error:p11_slot.c:245: 80DB703FD47F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79: On a sidenote, we do no specify dynamic_path in the openssl.cnf. If we set in openssl.cnf: dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so then we receive a different error: ... 807B8B140C7F0000:error:1280006A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_dlfcn.c:188:symname(EVP_PKEY_base_id): /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so: undefined symbol: EVP_PKEY_base_id ... Additional information: Release: 22.04.1 LTS (Jammy Jellyfish) Packages: libengine-pkcs11-openssl:amd64 0.4.11-1build3 libp11-3:amd64 0.4.11-1build3 p11-kit 0.24.0-6build1 openssl 3.0.2-0ubuntu1.6 tpm2-openssl:amd64 1.0.1-1 libtpm2-pkcs11-1 1.7.0-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1983665/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
