Out of the box, opencryptoki configures both the TPM token and software
token. But that combination exposes a bug in opencryptoki.
To start seeing this problem, compare the output of listing tokens with
the opencryptoki "pkcsconf" command:
1) When only the software token is configured in
/var/lib/opencryptoki/pk_config_data:
Token #0 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 01:53:10 PM
2) When only using the TPM token:
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED|�)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 6-127
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 01:56:09 PM
3) When both are configured, you see two of whichever is listed first:
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x80445
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|�)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 01:55:49 PM
Token #1 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x80445
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|�)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 01:55:49 PM
The out of the box config is to have both the TPM and software tokens
configured which is broken.
Using only the software token, I am able to follow the instructions in
the original bug report to write a certificate and private key to the
token. Just for completeness, these are the commands I used to create
the cert and key:
openssl req -outform der -out cert.der -new -x509 -newkey rsa:2048 -keyout
key.tmp -subj '/O=dds/CN=dds' -days 3650
openssl rsa -inform pem -outform der -in key.tmp -out key.der
And I also used "--attr-from cert.der" argument to pkcs11-tool when
writing the certificate and private key to the token.
Actions to take:
1) Test opencryptoki 2.4.1 to confirm this bug still exists in the more recent
versions. If the bug is still present, identify root cause (for now, I'm
suspecting some poor memory management in the common opencryptoki code).
2) Change the opencryptoki init script to not run pkcs11_startup every time it
is started. I think opencryptoki should be configured with debconf with a
multiselect of what token backends to use.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/942381
Title:
tpm and software token cannot be used together
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/942381/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
