Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Openssl3 #837

Open
l-sousa opened this issue Apr 14, 2023 · 1 comment
Open

Openssl3 #837

l-sousa opened this issue Apr 14, 2023 · 1 comment

Comments

@l-sousa
Copy link

l-sousa commented Apr 14, 2023

I'm trying to generate a CSR based on a PKCS11 token generated on the TPM2.0

Here is my code:

#!/bin/bash

sudo mkdir ~/openvpn-client || true
cd ~/openvpn-client

# Create certificate Signing Request Configuration

sudo sh -c "cat > client.cnf << EOF
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt                 = no
[ req_distinguished_name ]
C                      = US
ST                     = Foo
L                      = Bar
O                      = Widget Co
OU                     = Internet of Widgets Group
CN                     = $(hostname)
EOF"

# Create the TPM2 PKCS11 Key

# Note: you may need to configure the TCTI for your environment, I used ibmtpm1563 server
# and tpm2-abrmd.
export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
# Set the log-level for debugging so we get more info
export TPM2_PKCS11_LOG_LEVEL=0

# Set up the store location
export TPM2_PKCS11_STORE=~/src/
export PYTHONPATH=~/src/tpm2-pkcs11/tools
sudo rm ~/src/tpm2_pkcs11.sqlite3  || true

sopin=1234
userpin=1234
algorithm="rsa2048"

tpm2_clear
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool init --path=$TPM2_PKCS11_STORE
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addtoken --pid=1 --sopin="$sopin" --userpin="$userpin" --label=openvpn
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addkey --algorithm="$algorithm" --label=openvpn --userpin="$userpin"

# Set the token TCTI if needed.
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn

# Create the Certificate Signing Request

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")

export GNUTLS_PIN="$userpin"
export GNUTLS_SO_PIN="$sopin"

p11tool --login --list-all "${TOKEN}" --outfile p11tool.out

PRIVATE_KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')

# # Load the TPM2 provider into OpenSSL
# sudo openssl provider -preactivate -activate -section tpm2 -config ~/.config/openssl.cnf

sudo sh -c "cat >> client.cnf << EOF
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /home/botto/src/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so
MODULE_PATH = /usr/local/lib/libtpm2_pkcs11.so.0
init = 0
EOF"

# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr

yaml_rsa0=$(/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool export --label=openvpn --key-label=openvpn --userpin=1234)
auth_rsa0=$(echo "$yaml_rsa0" | grep "object-auth" | cut -d' ' -f2-)

# I've fixed the format of the following command
openssl req \
    -new \
    -provider tpm2 \
    -provider base \
    -key openvpn.pem \
    -passin "pass:$auth_rsa0

The problem is on the first openssl req command:

# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr

Problems:

  • I can't get openssl to recognize the engine.

  • It also does not recognize the URI in the -key argument (example URI: pkcs11:model=SLI9670;manufacturer=Infineon;serial=0000000000000000;token=openvpn;id=%38%37%66%35%30%37%31%35%32%31%66%34%37%31%36%35;type=private;pin-value=1234)

I need to use PKCS11. Otherwise, I would have just gone with tpm2-openssl. I've tried this just for fun, but I can't seem to find compatible versions of the libs. Is there any page that tells which version suite is compatible? Because I've tried the latest releases, and they are incompatible,

@traxtopel
Copy link

I had the same issue, see #766

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants