[Bug 1983665] Re: Problem loading private RSA key with pkcs11 engine, tpm2 module

Simon Chopin 1983665 at bugs.launchpad.net
Tue Sep 20 14:43:40 UTC 2022 

** Changed in: openssl (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1983665

Title:
  Problem loading private RSA key with pkcs11 engine, tpm2 module

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Problem:

  We have prepared an rsa2048 keypair in tpm2 and would like to access
  it using the pkcs11 engine of OpenSSL which fails as described below.

  Please note that the error messages pasted below look somewhat related
  to https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1983160

  Is the fix mentioned in that bug already published or could this be a
  different error?

  Setup:

  The TPM2 device:

  ~# dmesg | grep TPM
  [    0.006201] ACPI: TPM2 0x000000007EB75000 00004C (v04 BOCHS  BXPCTPM2 00000001 BXPC 00000001)
  [    0.006209] ACPI: Reserving TPM2 table memory at [mem 0x7eb75000-0x7eb7504b]
  [    0.372512] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)

  The RSA keypair in TPM2:

  ~# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so --login --list-objects 
  WARNING: Getting tokens from fapi backend failed.
  Using slot 0 with a present token (0x1)
  Logging in to "testlabel".
  Please enter User PIN: **** 
  Private Key Object; RSA 
    label:      
    ID:         31323731386436643066616361643434
    Usage:      decrypt, sign
    Access:     sensitive, always sensitive, never extractable, local
    Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS
  Public Key Object; RSA 2048 bits
    label:      
    ID:         31323731386436643066616361643434
    Usage:      encrypt, verify
    Access:     local

  Here the openssl.cnf:

  openssl_conf = openssl_init
  [openssl_init]
  engines = engine_section
  [engine_section]
  pkcs11 = pkcs11_section
  [pkcs11_section]
  engine_id = pkcs11
  # See also note on dynamic_path = ... below
  MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so
  init = 0
  [ req ]
  distinguished_name = req_dn
  string_mask = utf8only
  utf8 = yes
  basicConstraints = critical,CA:FALSE
  subjectKeyIdentifier = hash
  req_extensions = v3_req
  [ v3_req ]
  keyUsage = critical, digitalSignature, keyEncipherment
  extendedKeyUsage = critical, clientAuth
  [ req_dn ]
  commonName = Test Subject

  We test the pcks11 engine availability:

  ~# openssl engine pkcs11 -t
  (pkcs11) pkcs11 engine
       [ available ]

  Now we try using OpenSSL to generate a CSR:

  ~# openssl req -config ./openssl.cnf -verbose -new -engine pkcs11
  -keyform engine -key slot_1-id_38636232383264363035316365623962 -out
  ./test.csr -subj /CN=some.test.name

  Results in an error:

  Engine "pkcs11" set.
  Using configuration from ./openssl.cnf
  WARNING: Getting tokens from fapi backend failed.
  Enter PKCS#11 token PIN for openvpn:
  ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:754:iesys_cryptossl_pk_encrypt() ErrorCode (0x00070001) Could not create rsa key. 
  ERROR:esys:src/tss2-esys/esys_iutil.c:521:iesys_compute_encrypted_salt() During encryption. ErrorCode (0x00070001) 
  ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:226:Esys_StartAuthSession_Async() Error in parameter encryption. ErrorCode (0x00070001) 
  ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:113:Esys_StartAuthSession() Error in async function ErrorCode (0x00070001) 
  ERROR: Esys_StartAuthSession: esapi:Catch all for all errors not otherwise specified
  ERROR: Could not start Auth Session with the TPM.
  ERROR: Error unsealing wrapping key
  Login failed
  Login to token failed, returning NULL...
  PKCS11_get_private_key returned NULL
  Could not read private key from org.openssl.engine:pkcs11:slot_1-id_38636232383264363035316365623962
  80DB703FD47F0000:error:03000096:digital envelope routines:fromdata_init:operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
  80DB703FD47F0000:error:41800005:PKCS#11 module:ERR_CKR_error:General Error:p11_slot.c:245:
  80DB703FD47F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:

  On a sidenote, we do no specify dynamic_path in the openssl.cnf.
  If we set in openssl.cnf:

  dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so

  then we receive a different error:

  ...
  807B8B140C7F0000:error:1280006A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_dlfcn.c:188:symname(EVP_PKEY_base_id): /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so: undefined symbol: EVP_PKEY_base_id
  ...

  Additional information:

  Release: 22.04.1 LTS (Jammy Jellyfish)

  Packages:

  libengine-pkcs11-openssl:amd64    0.4.11-1build3   
  libp11-3:amd64                    0.4.11-1build3   
  p11-kit                           0.24.0-6build1   
  openssl                           3.0.2-0ubuntu1.6 
  tpm2-openssl:amd64                1.0.1-1 
  libtpm2-pkcs11-1                  1.7.0-1ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1983665/+subscriptions

More information about the foundations-bugs mailing list