-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to do activate credential on pkcs11 key objects added using tpm2_ptool while tpm2_create objects works file. #852
Comments
I have no idea how you're calling tpm2 createprimary -c primary.ctx
tpm2 readpublic -c primary.ctx -o primary.pub -n key.name
cp primary.ctx key.ctx
# uncomment this to use a seperate key it will just clobber key.ctx
#tpm2 create -C primary.ctx -u key.pub -r key.priv
#tpm2 load -C primary.ctx -u key.pub -r key.priv -c key.ctx
#tpm2 readpublic -c key.ctx -n key.name
# Client sends data to server needed for makecredential.
# SERVER: The server side creates a credential, this could be an HMAC key. This is the same as makecred in tpm2-pytss
echo -n "mycred" > mycred.bin
tpm2 makecredential --tcti=none -u primary.pub -s mycred.bin -n $(xxd -p -c256 key.name) -o mkcred.bin
# CLIENT: activates the credential, which is just getting it back out for use
tpm2 activatecredential -Cprimary.ctx -c key.ctx -i mkcred.bin -o actcred.bin
# gotten cred should match expected
cmp actcred.bin mycred.bin
echo "success"
exit 0
|
Hi Bill, |
# set up a persistent SRK at the TCG defined address
tpm2 createprimary -c primary.ctx
tpm2 evictcontrol -c primary.ctx 0x81000001
# init the store
./tools/tpm2_ptool init --primary-handle=0x81000001
# add a token to the primary key
tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=mytoken
# add some keys
tpm2_ptool addkey --label=mytoken --userpin=myuserpin --algorithm=rsa2048 --key-label=key1
tpm2_ptool addkey --label=mytoken --userpin=myuserpin --algorithm=rsa2048 --key-label=key2
# export them
./tools/tpm2_ptool export --label=mytoken --key-label=key1 --userpin=myuserpin
object-auth: c626c183fb607723971e09c10e22b298
primary-object:
auth: ''
hierarchy: owner
is_transient: false
# this creates 3 files: key1.tr (parent key) key1.pub and key2.priv (tpm blobs)
# You can print the key1.tr to get the parent details as well:
tpm2 print --type ESYS_TR key1.tr
tpm-handle: 0x81000001
name: 000bd090c5a432c760b513bd5006eea290124edc5bdce57f2a75795a12fcecc0c00c
# load the key
../tpm2-tools/tools/tpm2 load -Ckey1.tr -u key1.pub -r key1.priv -c key1.ctx
name: 0x000bf7cef3c177cceebd21346feec6fd791a0ebd49f87a17ac1d37ae6b82992dafe9
# now you have a context that can be used in commands. However the symmetric details for basic
# keys are missing, so it can't be used in makecred commands and would need to be supported.
# ie addkey or however the key is added to the pkcs11 store, it needs its symmetric details set IIUC. |
Hi Bill, now you have a context that can be used in commands. However the symmetric details for basickeys are missing, so it can't be used in makecred commands and would need to be supported.ie addkey or however the key is added to the pkcs11 store, it needs its symmetric details set IIUC._does this support need to be added in makecredential or in tpm2_ptool ? |
TL;DR: The key used to encrypt the credential must be a parent key(ie attribute restricted), the other key can be anything. The parent key can be used for both inputs. So if we look at makecredential python code function signature: def make_credential(
public: TPM2B_PUBLIC, credential: bytes, name: TPM2B_NAME
) -> Tuple[TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET]:
"""Encrypts credential for use with activate_credential the credential ./tpm2 create -C primary.ctx -Grsa2048:null:aes128cfb -a'restricted|userwithauth|decrypt|sensitivedataorigin' -c key.ctx truncated YAML output for clarity sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128 A normal key won't have the symmetric portion set. |
got it now, wondering if this is limitation by spec or by implementation. ? if its implementation gap, we can add that support. |
TL;DR it's so arbitrary TPM keys are not used as parents possible compromising the object protections of the child. Its a spec thing. It's required as a way to preserve the object protections scheme. Essentially is you use the public portion of an object to protect a child key (ie tpm2-pytss wrap command), you don't want any TPM key to be able to decrypt it. If that TPM key is useable by anyone (like the TCG compliant SRK at 0x81000001), then someone could decrypt the child key outside of the TPM. Per the spec, "When restricted is CLEAR, there are no restrictions on the use of the private portion of the key for decryption and the key may be used to decrypt and return any structure encrypted by the public portion of |
I am not able to do activate credential on pkcs11 key object added using tpm2_ptool while tpm2_create objects works file.
here is sequence:
tpm2_ptool init is done on primary context.
and after that following keys are added using tpm2_ptool. but I am not able to do activate credentials same way as done by tpm2_create objects.
Create a primary key
$tpm2_createprimary -c primary.ctx
$tpm2_evictcontrol -c primary.ctx 0x81000001
$ tpm2_ptool init --primary-handle=0x81000001 –path=/path/to/store
Add storage keys:
tpm2_ptool addtoken --pid=1 --sopin=<> --userpin=<> --label=label --path $TPM2_PKCS11_STORE
tpm2_ptool addkey --label=label --userpin=<> --algorithm=rsa2048 --key-label=$CKA_LABEL --path $TPM2_PKCS11_STORE
tpm2_ptool objmod --key 2399141890 --id=2 --path=$TPM2_PKCS11_STORE | cut -d' ' -f2-2 | xxd -r -p -c1024 > pkcs11key.pub
tpm2_loadexternal -Cn -u pkcs11key.pub -c pkcs11key.ctx
tpm2_readpublic -c pkcs11keykey.ctx -n pkcs11keykey.name
make credential works fine
but activate credentials give following error.
ERROR: Incorrect handle value, got: "pkcs11keykey.ctx", expected expected [o|p|e|n|l] or a handle number
ERROR: Unable to read as BIO file
ERROR: Unable to fetch public/private portions of TSS PRIVKEY
ERROR: Cannot make sense of object context "pkcs11keykey.ctx"
ERROR: Unable to run tpm2_readpublic
while makecredentail and activate credential method do work if I add keys by following tpm2_tools.
tpm2_create -C primary.ctx -u key.pub -r key.priv -a 'fixedtpm|fixedparent|restricted|userwithauth|sensitivedataorigin|decrypt'
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
tpm2_readpublic -c key.ctx -n key.name
seems the key object is not compatible with pytss , any idea?
The text was updated successfully, but these errors were encountered: