from:"zakkir hussain Kharim"

Re: [openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key

2015-03-06 Thread zakkir hussain Kharim

We ran the same command with both software TPM and hardware TPM.

Please find the detailed debug logs from the tcsd attached. Also copied the
relevant portions.  For API  GetPubKey, software TPM works fine and in thsi
case it seems an 'ioctl' call is made compared to a write in case of actual
TPM.







Software TPM:



TCSD TCS tcs_key_mem_cache.c:167 keySlot is 4000

TCSD TCS tcs_key_mem_cache.c:874 mc_update_time_stamp: TCSD mem_cached
handle: 0x4000

TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit

TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x4000, slot: 0x4000

TCSD TCS tcsi_key.c:260

My Log: tcsi_key.c:tpm_rqu_buildtpm_rqu_build :result=0



To TPM: 00 C2 00 00 00 3B 00 00 00 21 40 00 00 00 02 00

To TPM: 00 00 7E 3D AE A9 13 CF 83 D7 27 56 A3 F3 C4 09

To TPM: 4F 81 FB 81 F8 C0 00 D4 C0 ED C4 68 67 45 FB FF

To TPM: B2 FC 51 B7 5A 7B DB E1 64 3D 73

TCSD TDDL tddl.c:171 Calling write to driver

TCSD TDDL tddl.c:183  Transmit Type: TDDL_TRANSMIT_IOCTL

From TPM: 00 C5 00 00 01 4F 00 00 00 00 00 00 00 01 00 03

From TPM: 00 01 00 00 00 0C 00 00 08 00 00 00 00 02 00 00





Hareware TPM:



TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x4000, slot: 0x4000

TCSD TCS tcsi_key.c:260

My Log: tcsi_key.c:tpm_rqu_buildtpm_rqu_build :result=0



To TPM: 00 C2 00 00 00 3B 00 00 00 21 40 00 00 00 00 4F

To TPM: F1 C6 5A 89 4D D3 43 81 32 CC CA B7 C0 BB 8A F4

To TPM: BC 98 C9 BC 8A 01 00 C6 FB 7D 86 4D 0E 9F E5 62

To TPM: 12 85 E3 04 73 C1 56 20 01 B0 48

TCSD TDDL tddl.c:171 Calling write to driver

TCSD TDDL tddl.c:193  Transmit Type: TDDL_TRANSMIT_RW

From TPM: 00 C4 00 00 00 0A 00 00 00 0C

TCSD TCS tcsi_key.c:265

My Log: tcsi_key.c:req_mgr_submit_req :result=0



LOG_RETERR TPM tcsi_key.c:267: 0xc

TCSD TCS tcsi_key.c:268

My Log: tcsi_key.c:UnloadBlob_Header : result=12



To TPM: 00 C1 00 00 00 12 00 00 00 BA 00 4F F1 C6 00 00

To TPM: 00 02

TCSD TDDL tddl.c:171 Calling write to driver

TCSD TDDL tddl.c:193  Transmit Type: TDDL_TRANSMIT_RW

From TPM: 00 C4 00 00 00 0A 00 00 00 22

LOG_RETERR TPM tcsi_admin.c:464: 0x22

TCSD TCS tcs_auth_mgr.c:287 Tried to close an invalid auth handle: 4ff1c6





src/tddl/tddl.c : Tddli_TransmitData



switch (opened_device-transmit) {

case TDDL_UNDEF:

/* fall through */

case TDDL_TRANSMIT_IOCTL:

LogDebug( Transmit Type: TDDL_TRANSMIT_IOCTL);

errno = 0;

if ((sizeResult = ioctl(opened_device-fd,
TPMIOC_TRANSMIT, txBuffer)) != -1) {

opened_device-transmit =
TDDL_TRANSMIT_IOCTL;

break;

}

LogWarn(ioctl: (%d) %s, errno, strerror(errno));

LogInfo(Falling back to Read/Write device
support.);

/* fall through */

case TDDL_TRANSMIT_RW:

LogDebug( Transmit Type: TDDL_TRANSMIT_RW);

if ((sizeResult = write(opened_device-fd,

txBuffer,

TransmitBufLen)) ==
(int)TransmitBufLen) {

opened_device-transmit = TDDL_TRANSMIT_RW;

sizeResult = read(opened_device-fd,
txBuffer,

  TDDL_TXBUF_SIZE);

break;



On Fri, Feb 27, 2015 at 7:23 PM, Ken Goldman kgold...@us.ibm.com wrote:

 I don't know  trousers very well, but there is a mailing list specifically
 for it.

 trousers supports the software TPM from

 http://sourceforge.net/projects/ibmswtpm/

 If you run with that, it traces the TPM operation in detail.  Send me the
 trace and I can probably tell you what's wrong.

 On 2/27/2015 12:16 AM, zakkir hussain Kharim wrote:

 *Problem*

 We are trying to wrap a private key using storage root key using the
 create_tpm_key tool which is part of openssl tpm engine. But it is
 failing. We tried to debug this in multiple ways, but not able to
 understand what is wrong*. * We are trying to wrap using Storage root
 key. Input private key is a 2048 bit length RSA key without any
 passphrase. The failure seems to related to getting public key of SRK
 from the SRK handle loaded.



 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

TCSD svrside.c:556 accepted socket 7
TCSD svrside.c:531 Waiting for connections
TCSD tcsd_threads.c:232 total_recv_size 28, buf_size 1024, recd_so_far 28
TCSD tcsd_threads.c:284 Rx'd packet
TCSD TCS rpc/tcstp/rpc.c:582 Dispatching ordinal 1 (OpenContext)
TCSD TCS rpc/tcstp/rpc_context.c:37 tcs_wrap_OpenContext: thread 140136657467136
TCSD TCS rpc/tcstp/rpc_context.c:53 New context is 0xa0d3ec03
TCSD tcsd_threads.c:313 Sending 0x26 bytes back

[openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key

2015-02-26 Thread zakkir hussain Kharim

*Problem*

We are trying to wrap a private key using storage root key using the
create_tpm_key tool which is part of openssl tpm engine. But it is
failing. We tried to debug this in multiple ways, but not able to
understand what is wrong*.  * We are trying to wrap using Storage root key.
Input private key is a 2048 bit length RSA key without any passphrase. The
failure seems to related to getting public key of SRK from the SRK handle
loaded.







*Command Executed:*

# create_tpm_key -w private.pem rsmpvtkey.blob

SRK Password:



### result=12

create_tpm_key.c:444 Tspi_Key_WrapKey result: 0xc (Invalid keyhandle)





*TPM trousers code:*



 File: tspi/tspi_key.c

 Function : Tspi_Key_GetPubKey





if ((result = TCS_API(tspContext)-GetPubKey(tspContext,
tcsKeyHandle, pAuth,

 pulPubKeyLength,
prgbPubKey)))

  {

   printf(\n ###
result=%d\n,result);

return result;   // returns value 12

  }





*Version details:*

trousers-0.3.13

openssl_tpm_engine-0.4.2

tpm-tools-1.3.8





*tpm version*

  TPM 1.2 Version Info:

  Chip Version:1.2.3.16

  Spec Level:  2

  Errata Revision: 2

  TPM Vendor ID:   IFX

  Vendor Specific data: 031a 00

  TPM Version: 0101





Thanks and Regards

Zakkir
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: SSL APIs which does not need certificates/keys stored in filesystem

2014-08-21 Thread zakkir hussain Kharim

Resending since the previous post attempt failed


On Mon, Aug 18, 2014 at 12:52 PM, zakkir hussain Kharim 
zakkir.kha...@gmail.com wrote:

 Currently we are storing certificates/keys in filesystem and using the SSL
 apis like SSL_CTX_use_certificate_chain_file and
 SSL_CTX_load_verify_locations to load the certificate chain from file
 system for server and client purpose.

 We want to avoid storing in filesystem, but read the certificates from our
 internal database directly. I could find many possible APIs for it as below
 1)SL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
 2)SSL_CTX_use_certificate(SSL *ssl, X509 *x);
 3)SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);
 4)int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st)
 5); int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st)
 6); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
 7) int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
 8)int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I
 9)nt SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I
 10)nt SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); I
 11)nt SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);

 and i am confused which one to use.

 For example which API is the substitute for  
 SSL_CTX_use_certificate_chain_file ?
  Which is the substitute for SSL_CTX_load_verify_locations? Will 
 SSL_CTX_set_cert_store
 work for both the purposes - to load End entity + sub CA certificates for
 server and to load sub CAs and root CA for the client?


 Thanks and Regards
 Zakkir

SSL APIs which does not need certificates/keys stored in filesystem

2014-08-18 Thread zakkir hussain Kharim

Currently we are storing certificates/keys in filesystem and using the SSL
apis like SSL_CTX_use_certificate_chain_file and
SSL_CTX_load_verify_locations to load the certificate chain from file
system for server and client purpose.

We want to avoid storing in filesystem, but read the certificates from our
internal database directly. I could find many possible APIs for it as below
1)SL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
2)SSL_CTX_use_certificate(SSL *ssl, X509 *x);
3)SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);
4)int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st)
5); int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st)
6); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
7) int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
8)int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I
9)nt SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); I
10)nt SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); I
11)nt SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);

and i am confused which one to use.

For example which API is the substitute for
SSL_CTX_use_certificate_chain_file ?
 Which is the substitute for SSL_CTX_load_verify_locations? Will
SSL_CTX_set_cert_store
work for both the purposes - to load End entity + sub CA certificates for
server and to load sub CAs and root CA for the client?


Thanks and Regards
Zakkir

Re: [openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key

[openssl-users] openssl_tpm_engine - create_tpm_key failed when tried to wrap key

Re: SSL APIs which does not need certificates/keys stored in filesystem

SSL APIs which does not need certificates/keys stored in filesystem

4 matches

Site Navigation

Mail list logo

Footer information