When using tpm2-pkcs11, in the current Ubuntu version 1.7.0, creating of
certificate signing requests (CSR) will not work correctly anymore which
renders tpm2-pkcs11 partially useless. Specially enviroments where a TLS
network (IEEE 802.1X) connection (over NetworkManager) or OpenConnect
VPN is required tpm2-pkcs11 will not work with the current 1.7.0
version.
This is because of the shift to openssl3. Openssl is required to create
the certificate signing requests while the method in tpm2-pkcs11 1.7.0
is using the deprecated "-engine" api, while openssl3 requires
"-provider" to be used.
The old openssl1 command for 1.7.0:
openssl req \
-new \
-engine pkcs11 \
-keyform engine \
-key
"pkcs11:token=$TOKEN_LABEL;object=$KEY_LABEL;type=private;pin-value=$USER_PIN" \
-subj "${SUBJ}" \
-out "$HOSTNAME".csr
The new openssl3 command for 1.8.0 (extracted, and tested as well, from
tpm2-pkcs11 integration tests, because of lack of updated documentation):
yaml_rsa0=$(tpm2_ptool export --label="${TOKEN_LABEL}"
--key-label="${KEY_LABEL}" --userpin="${USER_PIN}")
auth_rsa0=$(echo "$yaml_rsa0" | grep "object-auth" | cut -d' ' -f2-)
openssl req \
-new \
-provider tpm2 \
-provider base \
-key "${KEY_LABEL}".pem \ # created by the tpm2_ptool export above
-passin "pass:$auth_rsa0" \
-subj "${SUBJ}" \
-out "$HOSTNAME".csr
Be aware that tpm2-openssl now a dependency for creating CSR's and
tpm2-pytss is a dependency of tpm2-pkcs11.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964975
Title:
can we update to 1.8.0 for Ubuntu 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-pkcs11/+bug/1964975/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
