Re: [openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key
We ran the same command with both software TPM and hardware TPM. Please find the detailed debug logs from the tcsd attached. Also copied the relevant portions. For API GetPubKey, software TPM works fine and in thsi case it seems an 'ioctl' call is made compared to a write in case of actual TPM. Software TPM: TCSD TCS tcs_key_mem_cache.c:167 keySlot is 4000 TCSD TCS tcs_key_mem_cache.c:874 mc_update_time_stamp: TCSD mem_cached handle: 0x4000 TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x4000, slot: 0x4000 TCSD TCS tcsi_key.c:260 My Log: tcsi_key.c:tpm_rqu_buildtpm_rqu_build :result=0 To TPM: 00 C2 00 00 00 3B 00 00 00 21 40 00 00 00 02 00 To TPM: 00 00 7E 3D AE A9 13 CF 83 D7 27 56 A3 F3 C4 09 To TPM: 4F 81 FB 81 F8 C0 00 D4 C0 ED C4 68 67 45 FB FF To TPM: B2 FC 51 B7 5A 7B DB E1 64 3D 73 TCSD TDDL tddl.c:171 Calling write to driver TCSD TDDL tddl.c:183 Transmit Type: TDDL_TRANSMIT_IOCTL From TPM: 00 C5 00 00 01 4F 00 00 00 00 00 00 00 01 00 03 From TPM: 00 01 00 00 00 0C 00 00 08 00 00 00 00 02 00 00 Hareware TPM: TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x4000, slot: 0x4000 TCSD TCS tcsi_key.c:260 My Log: tcsi_key.c:tpm_rqu_buildtpm_rqu_build :result=0 To TPM: 00 C2 00 00 00 3B 00 00 00 21 40 00 00 00 00 4F To TPM: F1 C6 5A 89 4D D3 43 81 32 CC CA B7 C0 BB 8A F4 To TPM: BC 98 C9 BC 8A 01 00 C6 FB 7D 86 4D 0E 9F E5 62 To TPM: 12 85 E3 04 73 C1 56 20 01 B0 48 TCSD TDDL tddl.c:171 Calling write to driver TCSD TDDL tddl.c:193 Transmit Type: TDDL_TRANSMIT_RW From TPM: 00 C4 00 00 00 0A 00 00 00 0C TCSD TCS tcsi_key.c:265 My Log: tcsi_key.c:req_mgr_submit_req :result=0 LOG_RETERR TPM tcsi_key.c:267: 0xc TCSD TCS tcsi_key.c:268 My Log: tcsi_key.c:UnloadBlob_Header : result=12 To TPM: 00 C1 00 00 00 12 00 00 00 BA 00 4F F1 C6 00 00 To TPM: 00 02 TCSD TDDL tddl.c:171 Calling write to driver TCSD TDDL tddl.c:193 Transmit Type: TDDL_TRANSMIT_RW From TPM: 00 C4 00 00 00 0A 00 00 00 22 LOG_RETERR TPM tcsi_admin.c:464: 0x22 TCSD TCS tcs_auth_mgr.c:287 Tried to close an invalid auth handle: 4ff1c6 src/tddl/tddl.c : Tddli_TransmitData switch (opened_device-transmit) { case TDDL_UNDEF: /* fall through */ case TDDL_TRANSMIT_IOCTL: LogDebug( Transmit Type: TDDL_TRANSMIT_IOCTL); errno = 0; if ((sizeResult = ioctl(opened_device-fd, TPMIOC_TRANSMIT, txBuffer)) != -1) { opened_device-transmit = TDDL_TRANSMIT_IOCTL; break; } LogWarn(ioctl: (%d) %s, errno, strerror(errno)); LogInfo(Falling back to Read/Write device support.); /* fall through */ case TDDL_TRANSMIT_RW: LogDebug( Transmit Type: TDDL_TRANSMIT_RW); if ((sizeResult = write(opened_device-fd, txBuffer, TransmitBufLen)) == (int)TransmitBufLen) { opened_device-transmit = TDDL_TRANSMIT_RW; sizeResult = read(opened_device-fd, txBuffer, TDDL_TXBUF_SIZE); break; On Fri, Feb 27, 2015 at 7:23 PM, Ken Goldman kgold...@us.ibm.com wrote: I don't know trousers very well, but there is a mailing list specifically for it. trousers supports the software TPM from http://sourceforge.net/projects/ibmswtpm/ If you run with that, it traces the TPM operation in detail. Send me the trace and I can probably tell you what's wrong. On 2/27/2015 12:16 AM, zakkir hussain Kharim wrote: *Problem* We are trying to wrap a private key using storage root key using the create_tpm_key tool which is part of openssl tpm engine. But it is failing. We tried to debug this in multiple ways, but not able to understand what is wrong*. * We are trying to wrap using Storage root key. Input private key is a 2048 bit length RSA key without any passphrase. The failure seems to related to getting public key of SRK from the SRK handle loaded. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users TCSD svrside.c:556 accepted socket 7 TCSD svrside.c:531 Waiting for connections TCSD tcsd_threads.c:232 total_recv_size 28, buf_size 1024, recd_so_far 28 TCSD tcsd_threads.c:284 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:582 Dispatching ordinal 1 (OpenContext) TCSD TCS rpc/tcstp/rpc_context.c:37 tcs_wrap_OpenContext: thread 140136657467136 TCSD TCS rpc/tcstp/rpc_context.c:53 New context is 0xa0d3ec03 TCSD tcsd_threads.c:313 Sending 0x26 bytes back
[openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key
*Problem* We are trying to wrap a private key using storage root key using the create_tpm_key tool which is part of openssl tpm engine. But it is failing. We tried to debug this in multiple ways, but not able to understand what is wrong*. * We are trying to wrap using Storage root key. Input private key is a 2048 bit length RSA key without any passphrase. The failure seems to related to getting public key of SRK from the SRK handle loaded. *Command Executed:* # create_tpm_key -w private.pem rsmpvtkey.blob SRK Password: ### result=12 create_tpm_key.c:444 Tspi_Key_WrapKey result: 0xc (Invalid keyhandle) *TPM trousers code:* File: tspi/tspi_key.c Function : Tspi_Key_GetPubKey if ((result = TCS_API(tspContext)-GetPubKey(tspContext, tcsKeyHandle, pAuth, pulPubKeyLength, prgbPubKey))) { printf(\n ### result=%d\n,result); return result; // returns value 12 } *Version details:* trousers-0.3.13 openssl_tpm_engine-0.4.2 tpm-tools-1.3.8 *tpm version* TPM 1.2 Version Info: Chip Version:1.2.3.16 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: IFX Vendor Specific data: 031a 00 TPM Version: 0101 Thanks and Regards Zakkir ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: SSL APIs which does not need certificates/keys stored in filesystem
Resending since the previous post attempt failed On Mon, Aug 18, 2014 at 12:52 PM, zakkir hussain Kharim zakkir.kha...@gmail.com wrote: Currently we are storing certificates/keys in filesystem and using the SSL apis like SSL_CTX_use_certificate_chain_file and SSL_CTX_load_verify_locations to load the certificate chain from file system for server and client purpose. We want to avoid storing in filesystem, but read the certificates from our internal database directly. I could find many possible APIs for it as below 1)SL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509); 2)SSL_CTX_use_certificate(SSL *ssl, X509 *x); 3)SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs); 4)int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st) 5); int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st) 6); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); 7) int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); 8)int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I 9)nt SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I 10)nt SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); I 11)nt SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); and i am confused which one to use. For example which API is the substitute for SSL_CTX_use_certificate_chain_file ? Which is the substitute for SSL_CTX_load_verify_locations? Will SSL_CTX_set_cert_store work for both the purposes - to load End entity + sub CA certificates for server and to load sub CAs and root CA for the client? Thanks and Regards Zakkir
SSL APIs which does not need certificates/keys stored in filesystem
Currently we are storing certificates/keys in filesystem and using the SSL apis like SSL_CTX_use_certificate_chain_file and SSL_CTX_load_verify_locations to load the certificate chain from file system for server and client purpose. We want to avoid storing in filesystem, but read the certificates from our internal database directly. I could find many possible APIs for it as below 1)SL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509); 2)SSL_CTX_use_certificate(SSL *ssl, X509 *x); 3)SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs); 4)int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st) 5); int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st) 6); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); 7) int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); 8)int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I 9)nt SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I 10)nt SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); I 11)nt SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); and i am confused which one to use. For example which API is the substitute for SSL_CTX_use_certificate_chain_file ? Which is the substitute for SSL_CTX_load_verify_locations? Will SSL_CTX_set_cert_store work for both the purposes - to load End entity + sub CA certificates for server and to load sub CAs and root CA for the client? Thanks and Regards Zakkir