[opencryptoki-users] Can't write objects to token

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm trying to track down a problem with opencryptoki on Ubuntu
Precise.  (Precise currently has opencryptoki 2.3.1.)  I'm using the
TPM module for opencryptoki.  Although I can initialize the token, I
can't seem to write any objects to it.

First I initialized the token and set the PINs.

pkcsconf -I -c 0 -S 87654321
pkcsconf -P -c 0 -S 87654321 -n 111111
pkcsconf -u -c 0 -S 111111 -n 000000

This all worked fine, and pkcsconf -t -c 0 gives me this:

Token #0 Info:
        Label: x
        Manufacturer: IBM Corp.
        Model: TPM v1.1 Token
        Serial Number: 123
        Flags: 0x44D
(RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
        Sessions: -1/-1
        R/W Sessions: -1/-1
        PIN Length: 4-8
        Public Memory: 0xFFFFFFFF/0xFFFFFFFF
        Private Memory: 0xFFFFFFFF/0xFFFFFFFF
        Hardware Version: 1.0
        Firmware Version: 1.0
        Time: 01:25:35 PM

Now I can write an X.509 cert:

# pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0
--login --pin 000000 --write-object cert.der --type cert --id 1
Using slot 0 with a present token (0x0)
Created certificate:
Certificate Object, type = X.509 cert
  label:
  ID:         01

But when I try to list the objects stored in the token, I get this:

# pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0
--login --pin 000000 -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

Data object 1
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

  label:          <empty>
warning: PKCS11 function C_GetAttributeValue(APPLICATION) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

  application:    <empty>
warning: PKCS11 function C_GetAttributeValue(OBJECT_ID) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

  app_id:         <empty>
warning: PKCS11 function C_GetAttributeValue(MODIFIABLE) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

warning: PKCS11 function C_GetAttributeValue(PRIVATE) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)

  flags:

The TOK_OBJ directory is empty, so clearly the cert wasn't successfully written:

# tree /var/lib/opencryptoki/tpm
/var/lib/opencryptoki/tpm
|-- MK_SO
|-- MK_USER
|-- NVTOK.DAT
`-- root
    |-- NVTOK.DAT
    `-- TOK_OBJ

The duplicated NVTOK.DAT seems suspicious.  The NVTOK.DAT in the
top-level directory contains that label that I gave the token (just
"x"), but root/NVTOK.DAT contains "IBM PKCS#11 TPM Token" as the
label.

Does anyone have any suggestions for how to debug this?

- Steve