You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to generate a CSR based on a PKCS11 token generated on the TPM2.0
Here is my code:
#!/bin/bash
sudo mkdir ~/openvpn-client || true
cd ~/openvpn-client
# Create certificate Signing Request Configuration
sudo sh -c "cat > client.cnf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
C = US
ST = Foo
L = Bar
O = Widget Co
OU = Internet of Widgets Group
CN = $(hostname)
EOF"
# Create the TPM2 PKCS11 Key
# Note: you may need to configure the TCTI for your environment, I used ibmtpm1563 server
# and tpm2-abrmd.
export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
# Set the log-level for debugging so we get more info
export TPM2_PKCS11_LOG_LEVEL=0
# Set up the store location
export TPM2_PKCS11_STORE=~/src/
export PYTHONPATH=~/src/tpm2-pkcs11/tools
sudo rm ~/src/tpm2_pkcs11.sqlite3 || true
sopin=1234
userpin=1234
algorithm="rsa2048"
tpm2_clear
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool init --path=$TPM2_PKCS11_STORE
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addtoken --pid=1 --sopin="$sopin" --userpin="$userpin" --label=openvpn
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addkey --algorithm="$algorithm" --label=openvpn --userpin="$userpin"
# Set the token TCTI if needed.
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn
# Create the Certificate Signing Request
TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")
export GNUTLS_PIN="$userpin"
export GNUTLS_SO_PIN="$sopin"
p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')
# # Load the TPM2 provider into OpenSSL
# sudo openssl provider -preactivate -activate -section tpm2 -config ~/.config/openssl.cnf
sudo sh -c "cat >> client.cnf << EOF
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /home/botto/src/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so
MODULE_PATH = /usr/local/lib/libtpm2_pkcs11.so.0
init = 0
EOF"
# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr
yaml_rsa0=$(/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool export --label=openvpn --key-label=openvpn --userpin=1234)
auth_rsa0=$(echo "$yaml_rsa0" | grep "object-auth" | cut -d' ' -f2-)
# I've fixed the format of the following command
openssl req \
-new \
-provider tpm2 \
-provider base \
-key openvpn.pem \
-passin "pass:$auth_rsa0
The problem is on the first openssl req command:
# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr
Problems:
I can't get openssl to recognize the engine.
It also does not recognize the URI in the -key argument (example URI: pkcs11:model=SLI9670;manufacturer=Infineon;serial=0000000000000000;token=openvpn;id=%38%37%66%35%30%37%31%35%32%31%66%34%37%31%36%35;type=private;pin-value=1234)
I need to use PKCS11. Otherwise, I would have just gone with tpm2-openssl. I've tried this just for fun, but I can't seem to find compatible versions of the libs. Is there any page that tells which version suite is compatible? Because I've tried the latest releases, and they are incompatible,
The text was updated successfully, but these errors were encountered:
I'm trying to generate a CSR based on a PKCS11 token generated on the TPM2.0
Here is my code:
The problem is on the first openssl req command:
Problems:
I can't get openssl to recognize the engine.
It also does not recognize the URI in the -key argument (example URI: pkcs11:model=SLI9670;manufacturer=Infineon;serial=0000000000000000;token=openvpn;id=%38%37%66%35%30%37%31%35%32%31%66%34%37%31%36%35;type=private;pin-value=1234)
I need to use PKCS11. Otherwise, I would have just gone with tpm2-openssl. I've tried this just for fun, but I can't seem to find compatible versions of the libs. Is there any page that tells which version suite is compatible? Because I've tried the latest releases, and they are incompatible,
The text was updated successfully, but these errors were encountered: