David,
tried to patch it no luck
i.e.
diff -ur openconnect-9.12.orig/gnutls_tpm2_esys.c openconnect-
9.12/gnutls_tpm2_esys.c
--- openconnect-9.12.orig/gnutls_tpm2_esys.c 2022-04-28
17:58:05.000000000 +0200
+++ openconnect-9.12/gnutls_tpm2_esys.c 2024-03-07 16:03:54.521631835
+0100
@@ -498,12 +498,11 @@
case SHA1_SIZE: inScheme.details.ecdsa.hashAlg =
TPM2_ALG_SHA1; break;
case SHA256_SIZE: inScheme.details.ecdsa.hashAlg =
TPM2_ALG_SHA256; break;
case SHA384_SIZE: inScheme.details.ecdsa.hashAlg =
TPM2_ALG_SHA384; break;
- case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
TPM2_ALG_SHA512; break;
+ case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
TPM2_ALG_SHA512; digest.size = 32 ; break;
default:
- vpn_progress(vpninfo, PRG_ERR,
- _("Unknown TPM2 EC digest size %d for
algo 0x%x\n"),
- data->size, algo);
- return GNUTLS_E_PK_SIGN_FAILED;
+ inScheme.details.ecdsa.hashAlg = TPM2_ALG_SHA512;
+ digest.size = 32;
+ break;
}
memcpy(digest.buffer, data->data, data->size);
I am on Fedora 39 using gnutls-3.8.3-1.fc39.x86_64
The process works with a software-emulated TPM, but generates the error
on real hardware, tried 3 different laptops.
Here is the basic process I am using to create/add the key and csr.
Maybe you see something here that I am missing.
tpm2_clear
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --
label=TL_ECC256
tpm2_ptool addkey --algorithm=ecc256 --label=TL_ECC256 --key-
label=KL_ECC256 --userpin=userpin
tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --
label=TL_ECC256
TOKEN=`p11tool --list-token-urls 2> /dev/null | grep "token=TL_ECC256"`
p11tool --login --list-all "${TOKEN}" --set-pin="userpin" --outfile
p11tool.out
PRIVATE_KEY=`cat p11tool.out | grep private | awk '{ print $2 }'`
yaml_rsa0=$(tpm2_ptool export --label="TL_ECC256" --key-
label="KL_ECC256" --userpin="userpin")
auth_rsa0=$(echo "${yaml_rsa0}" | grep "object-auth" | cut -d' ' -f2-)
openssl req -new -provider tpm2 -provider base -propquery
"?provider=tpm2" -key "KL_ECC256.pem" -passin "pass:${auth_rsa0}" -subj
"/C=US/ST=NY/L=New_York/O=Acme/CN=1234567/emailAddress=t...@acme.com" -
out test_csr.csr
I send this CSR "test_csr.csr" together with the profile to the
Digicert One API
On Thu, 2024-03-07 at 14:36 +0000, David Woodhouse wrote:
> On Wed, 2024-03-06 at 12:44 +0100, Grant Williamson wrote:
> > I am attempting to transition our existing environment of signed
> > Digicert certificates from RSA-4096 to ECC256. The digicert one
> > signing process appears to work.
> > When using a software-emulated TPM, the connection is succesful.
> >
> > When I try hardware tpm(3 laptops) I encounter the folowing problem
> > ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
> > SSL connection failure: PKCS #11 error.
> >
> > I have tried generating the csr to be signed using both tpm2-
> > openssl
> > and pkcs11-provider, same result.
> >
> > Maybe the following gives a clue. Any ideas?
> > (openconnect with --gnutls-debug=99 -v)
> >
> > https://pastebin.com/d2gT4t6q
>
> I think that's a GnuTLS bug. What version of GnuTLS is it?
>
> If you're using a Prime256 key, then the SHA512 hash ought to be
> truncated to 32 bytes, and then we'd tell the TPM that it's actually
> a
> SHA256. See
> http://git.infradead.org/?p=users/dwmw2/openconnect.git;a=blob;f=gnutls_tpm2_esys.c;hb=HEAD#l487
>
> As a nasty hack, since you know you have a 256-bit EC key (although I
> didn't personally validate that assertion in your logs), can you try
> hard-coding it to use TPM2_ALG_SHA256 and set digest.size=32 in
> tpm2_ec_sign_hash_fn() ?
>
> Do this in either gnutls_tpm2_esys.c or gnutls_tpm2_ibm.c; whichever
> is
> being used on your system. Probably the former.
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
