On Wed, 2024-03-06 at 12:44 +0100, Grant Williamson wrote: > I am attempting to transition our existing environment of signed > Digicert certificates from RSA-4096 to ECC256. The digicert one > signing process appears to work. > When using a software-emulated TPM, the connection is succesful. > > When I try hardware tpm(3 laptops) I encounter the folowing problem > ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size > SSL connection failure: PKCS #11 error. > > I have tried generating the csr to be signed using both tpm2-openssl > and pkcs11-provider, same result. > > Maybe the following gives a clue. Any ideas? > (openconnect with --gnutls-debug=99 -v) > > https://pastebin.com/d2gT4t6q
I think that's a GnuTLS bug. What version of GnuTLS is it? If you're using a Prime256 key, then the SHA512 hash ought to be truncated to 32 bytes, and then we'd tell the TPM that it's actually a SHA256. See http://git.infradead.org/?p=users/dwmw2/openconnect.git;a=blob;f=gnutls_tpm2_esys.c;hb=HEAD#l487 As a nasty hack, since you know you have a 256-bit EC key (although I didn't personally validate that assertion in your logs), can you try hard-coding it to use TPM2_ALG_SHA256 and set digest.size=32 in tpm2_ec_sign_hash_fn() ? Do this in either gnutls_tpm2_esys.c or gnutls_tpm2_ibm.c; whichever is being used on your system. Probably the former.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
