Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkcs11-provider can't handle NULL bytes in token URL model parameter #296

Closed
uedvt359 opened this issue Oct 17, 2023 · 4 comments
Closed

Comments

@uedvt359
Copy link

Describe the bug

My computer contains a TPM2 chip "SLB9672" from Infineon. I get its token URL from p11tool --list-token-urls and it returns

pkcs11:model=SLB9672%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=mytoken

This breaks pkcs11-provider, because it can't handle null bytes:

00EE57D9047F0000:error:40800007:pkcs11:parse_utf8str:Invalid or improper arguments were provided to the invoked function:util.c:355:Failed to parse [SLB9672%00%00%00%00%00%00%00%00%00] as a string

To Reproduce
Steps to reproduce the behavior:

  1. find the token url using p11tool --login --list-all-privkeys
    => pkcs11:model=SLB9672%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=mytoken
  2. try to issue e.g. a CSR with openssl req -new -provider pkcs11 -key ${URL};pin-value=${PIN};so-pin-value=${PUK} -subj /CN=${CN}/

Expected behavior

A CSR should be returned on stdout. Instead, the error from above is printed. Repeating these steps and stripping %00 from the URL makes it work.

Operating environment (please complete the following information):

  • OS: Fedora
  • Version 38

Token and application used (please complete the following information):

  • Device: Infineon SLB9672
  • PKCS11 Driver version: tpm2-pkcs11-1.9.0-1.fc38.x86_64 (is this the right information?)
  • Application openssl cli
  • Version 3.0.9

Additional context

This used to work in pkcs11-provider v0.1. I think this commit may be relevant: 24d72cc

@simo5
Copy link
Member

simo5 commented Oct 17, 2023

Null bytes are illegal per PKCS11 spec.
From https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/pkcs11-spec-v3.1-cs01.html#_Toc111203192

model model of the device. MUST be padded with the blank character (‘ ‘). MUST NOT be null-terminated.

This is a bug in tmp2-pkcs11, please report it to them.

All of the strings returned in CK_INFO, CK_SLOT_INFO, CK_TOKEN_INFO structure MUST NOT be NULL terminated and must be blank (space) padded to their length.

@simo5
Copy link
Member

simo5 commented Oct 17, 2023

or potentially p11tool ...

@simo5
Copy link
Member

simo5 commented Oct 17, 2023

The broken code starts here:
https://github.com/tpm2-software/tpm2-pkcs11/blame/1b3aab90ee5f7debbce82c7e229aa2950a9e8f0d/src/lib/tpm.c#L784

They use the correct padding helpers but the code is wrong because it always passes 16 byte as the source len, regardless of what's in the vendor structure.
What they need to do is to copy the vendor info, then parse the string, find the NULL bytes and convert them to spaces.

@uedvt359
Copy link
Author

Thank you for tracking this down. I have opened tpm2-software/tpm2-pkcs11#846

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants