opencryptoki-users Mailing List for openCryptoki (Page 3)
Brought to you by:
ebarretto
Menu
▾
▴
opencryptoki-users — Discuss usage of the PKCS#11 API and App development
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(8) |
Jul
(5) |
Aug
(5) |
Sep
(2) |
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(7) |
Feb
(5) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
(8) |
Dec
(3) |
| 2007 |
Jan
(14) |
Feb
|
Mar
|
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(10) |
Dec
(6) |
| 2008 |
Jan
(2) |
Feb
|
Mar
(5) |
Apr
(6) |
May
(3) |
Jun
(6) |
Jul
(10) |
Aug
(4) |
Sep
(17) |
Oct
(13) |
Nov
(43) |
Dec
(72) |
| 2009 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(23) |
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
|
| 2011 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(15) |
Mar
|
Apr
(1) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(6) |
Oct
|
Nov
(1) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(5) |
Jun
(1) |
Jul
|
Aug
|
Sep
(4) |
Oct
(2) |
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
|
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2019 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Gideon K. <gid...@go...> - 2012-06-25 13:30:52
|
Hi, I'm trying to use the Sun PKCS#11 provider to manage my TPM token. I can use stored symmetric keys within a Java program but I'm not able to store an AES key in the token. In fact I can store the key but I am not able to read the stored key. The same problem occurs when I use keytool to generate and store a secret key. This is the error which occurs when I try to read the secret key: Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:335) at java.security.KeyStore.getKey(KeyStore.java:792) at Java4.main(Java4.java:16) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method) at sun.security.pkcs11.P11KeyStore.loadSkey(P11KeyStore.java:1306) at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:328) ... 2 more I haven't specified any additional Attibutes. The problem does not occur if the key is generated with "tpmtoken_protect". The used software is Java 1.7 and Opencryptoki 2.4.2 Thanks! |
|
From: Gideon K. <gid...@go...> - 2012-06-21 20:12:28
|
Hi, I'm trying to use the Sun PKCS#11 provider to mangage my TPM token. I can use stored symmetric keys within a Java program but I'm not able to store an AES key in the token. In fact I can store the key but I am not able to read the stored key. The same problem occurs when I use keytool to generate and store a secret key. This is the error which occurs when I try to read the secret key: Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:335) at java.security.KeyStore.getKey(KeyStore.java:792) at Java4.main(Java4.java:16) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method) at sun.security.pkcs11.P11KeyStore.loadSkey(P11KeyStore.java:1306) at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:328) ... 2 more I haven't specified any additional Attibutes. The problem does not occur if the key is generated with "tpmtoken_protect". The used software is Java 1.7 and Opencryptoki 2.4.2 Thanks! Gideon |
|
From: Mauro R. <mau...@li...> - 2012-05-28 17:55:20
|
Em 24-05-2012 17:21, Joy Latten escreveu:
>
> Mauro,
> hmm.... did you run ldconfig to ensure you are picking up the shared
> objects from the correct place?
> Also, check your PATH and see if you go to /usr/sbin or
> /usr/local/sbin first...
>
Hi Joy!
You are totally right, I forgot to run ldconfig after the installation.
It works fine now.
Sorry for the trouble.
Thanks,
Mauro Rodrigues
>
> regards,
> Joy
>
>
> Mauro Rodrigues <mau...@li...> wrote on 05/24/2012
> 10:27:56 AM:
>
> > Mauro Rodrigues <mau...@li...>
> > 05/24/2012 10:27 AM
> >
> > To
> >
> > Kent Yoder <shp...@gm...>,
> >
> > cc
> >
> > ope...@li...
> >
> > Subject
> >
> > Re: [opencryptoki-users] pkcsconf looking for token in wrong directory
> >
> > Em 23-05-2012 19:42, Kent Yoder escreveu:
> > > Hi Mauro,
> > >
> > > On Wed, May 23, 2012 at 5:11 PM, Mauro Rodrigues
> > > <mau...@li...> wrote:
> > >> Hello everyone!
> > >>
> > >> I'm building opencryptoki from git's master branch as described
> below:
> > >>
> > >> ./configure --prefix=/usr --enable-debug --enable-testcases
> > >> make
> > >> make install
> > >>
> > >> With CCA, TPM and Software tokens enabled successfully.
> > >> Then I ran 'pkcs11_startup' and 'pkcsslotd start' also
> successfully, but
> > >> when I tried to get token information for example with 'pkcsconf
> -t' it
> > >> returned me the follow message:
> > >>
> > >> C_GetSlotList returned 0 slots. Check that your tokens are installed
> > >> correctly.
> > >>
> > >>
> > >> With Rajiv's help we figured out a build error: pkcsconf looks
> for the
> > >> token in the wrong directory, we saw that running:
> > >>
> > >> strace pkcsconf -t 2>&1 | grep swtok
> > >> stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT
> (No such
> > >> file or directory)
> > >>
> > >> The token exists in /usr/var/lib/opencryptoki/swtok instead of the
> > >> directory above.
> > > Ah yes, it looks like in pkcs11_startup.in, @localstatedir@ is used
> > > instaed of @CONFIG_DIR@, which is used everywhere else. This only
> > > bites us when $prefix has a value from configure.
> > I understand that, but earlier I ran configure without set prefix, then
> > make and make install.
> > The installation base directory in this case was /usr/local/, then I
> ran
> > pkcs11_startup and pkcsslotd start, finally I tried pkcsconf -t and got
> > the error below:
> >
> > # sudo /usr/local/sbin/pkcsconf -t
> > Error initializing the PKCS11 library: 0x2 (CKR_HOST_MEMORY)
> >
> > Rajiv helped me in this point too, and we found running strace pkcsconf
> > -t the follow problem:
> >
> > stat("/usr/sbin/pkcsslotd", 0x7fffc4d53e90) = -1 ENOENT (No such
> file or
> > directory)
> >
> > Looking into /var/log/messages we also can see:
> >
> > May 24 12:08:31 oc8155576145 pkcsconf: api_interface.c C_Initialize:
> > Module failed to attach to shared memory. Verify that the slot
> > management daemon is running, errno=2
> >
> > Of course I checked pkcsslotd and it was running.
> >
> > Through the messages we can notice that pkcsconf is looking for
> > pkcsslotd in the wrong directory (since the installation base directory
> > is /usr/local and not /usr/)
> >
> > Am I doing something wrong?
> >
> > Should I start a new thread to relate this issue?
> >
> > Thanks!
> >
> > >> For now I did a symbolic link as workarround, but Rajiv advised me to
> > >> report it as a bug in this list.
> > > Yes, thanks for the report!
> > >
> > > Kent
> > >
> > >> I didn't prepare a patch to solve this problem cause I have
> doubts what
> > >> is the right way to do it (by change pkcs_slot script or in
> another file
> > >> where it's defined, which I believe is
> > >> usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
> > >> deeper analysis).
> > >>
> > >> Thanks!
> > >>
> > >> Mauro S M Rodrigues
> > >>
> > >>
> > >>
> >
> ------------------------------------------------------------------------------
> > >> Live Security Virtual Conference
> > >> Exclusive live event will cover all the ways today's security and
> > >> threat landscape has changed and how IT managers can respond.
> Discussions
> > >> will include endpoint security, mobile security and the latest in
> malware
> > >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > >> _______________________________________________
> > >> opencryptoki-users mailing list
> > >> ope...@li...
> > >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
> > >
> > >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond.
> Discussions
> > will include endpoint security, mobile security and the latest in
> malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > opencryptoki-users mailing list
> > ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
> >
>
|
|
From: Joy L. <la...@us...> - 2012-05-24 20:21:44
|
Mauro,
hmm.... did you run ldconfig to ensure you are picking up the shared
objects from the correct place?
Also, check your PATH and see if you go to /usr/sbin or /usr/local/sbin
first...
regards,
Joy
Mauro Rodrigues <mau...@li...> wrote on 05/24/2012 10:27:56
AM:
> Mauro Rodrigues <mau...@li...>
> 05/24/2012 10:27 AM
>
> To
>
> Kent Yoder <shp...@gm...>,
>
> cc
>
> ope...@li...
>
> Subject
>
> Re: [opencryptoki-users] pkcsconf looking for token in wrong directory
>
> Em 23-05-2012 19:42, Kent Yoder escreveu:
> > Hi Mauro,
> >
> > On Wed, May 23, 2012 at 5:11 PM, Mauro Rodrigues
> > <mau...@li...> wrote:
> >> Hello everyone!
> >>
> >> I'm building opencryptoki from git's master branch as described below:
> >>
> >> ./configure --prefix=/usr --enable-debug --enable-testcases
> >> make
> >> make install
> >>
> >> With CCA, TPM and Software tokens enabled successfully.
> >> Then I ran 'pkcs11_startup' and 'pkcsslotd start' also successfully,
but
> >> when I tried to get token information for example with 'pkcsconf -t'
it
> >> returned me the follow message:
> >>
> >> C_GetSlotList returned 0 slots. Check that your tokens are installed
> >> correctly.
> >>
> >>
> >> With Rajiv's help we figured out a build error: pkcsconf looks for the
> >> token in the wrong directory, we saw that running:
> >>
> >> strace pkcsconf -t 2>&1 | grep swtok
> >> stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT (No
such
> >> file or directory)
> >>
> >> The token exists in /usr/var/lib/opencryptoki/swtok instead of the
> >> directory above.
> > Ah yes, it looks like in pkcs11_startup.in, @localstatedir@ is used
> > instaed of @CONFIG_DIR@, which is used everywhere else. This only
> > bites us when $prefix has a value from configure.
> I understand that, but earlier I ran configure without set prefix, then
> make and make install.
> The installation base directory in this case was /usr/local/, then I ran
> pkcs11_startup and pkcsslotd start, finally I tried pkcsconf -t and got
> the error below:
>
> # sudo /usr/local/sbin/pkcsconf -t
> Error initializing the PKCS11 library: 0x2 (CKR_HOST_MEMORY)
>
> Rajiv helped me in this point too, and we found running strace pkcsconf
> -t the follow problem:
>
> stat("/usr/sbin/pkcsslotd", 0x7fffc4d53e90) = -1 ENOENT (No such file or
> directory)
>
> Looking into /var/log/messages we also can see:
>
> May 24 12:08:31 oc8155576145 pkcsconf: api_interface.c C_Initialize:
> Module failed to attach to shared memory. Verify that the slot
> management daemon is running, errno=2
>
> Of course I checked pkcsslotd and it was running.
>
> Through the messages we can notice that pkcsconf is looking for
> pkcsslotd in the wrong directory (since the installation base directory
> is /usr/local and not /usr/)
>
> Am I doing something wrong?
>
> Should I start a new thread to relate this issue?
>
> Thanks!
>
> >> For now I did a symbolic link as workarround, but Rajiv advised me to
> >> report it as a bug in this list.
> > Yes, thanks for the report!
> >
> > Kent
> >
> >> I didn't prepare a patch to solve this problem cause I have doubts
what
> >> is the right way to do it (by change pkcs_slot script or in another
file
> >> where it's defined, which I believe is
> >> usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
> >> deeper analysis).
> >>
> >> Thanks!
> >>
> >> Mauro S M Rodrigues
> >>
> >>
> >>
>
------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
Discussions
> >> will include endpoint security, mobile security and the latest in
malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> opencryptoki-users mailing list
> >> ope...@li...
> >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
> >
> >
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> opencryptoki-users mailing list
> ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
> |
|
From: Mauro R. <mau...@li...> - 2012-05-24 15:28:13
|
Em 23-05-2012 19:42, Kent Yoder escreveu:
> Hi Mauro,
>
> On Wed, May 23, 2012 at 5:11 PM, Mauro Rodrigues
> <mau...@li...> wrote:
>> Hello everyone!
>>
>> I'm building opencryptoki from git's master branch as described below:
>>
>> ./configure --prefix=/usr --enable-debug --enable-testcases
>> make
>> make install
>>
>> With CCA, TPM and Software tokens enabled successfully.
>> Then I ran 'pkcs11_startup' and 'pkcsslotd start' also successfully, but
>> when I tried to get token information for example with 'pkcsconf -t' it
>> returned me the follow message:
>>
>> C_GetSlotList returned 0 slots. Check that your tokens are installed
>> correctly.
>>
>>
>> With Rajiv's help we figured out a build error: pkcsconf looks for the
>> token in the wrong directory, we saw that running:
>>
>> strace pkcsconf -t 2>&1 | grep swtok
>> stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT (No such
>> file or directory)
>>
>> The token exists in /usr/var/lib/opencryptoki/swtok instead of the
>> directory above.
> Ah yes, it looks like in pkcs11_startup.in, @localstatedir@ is used
> instaed of @CONFIG_DIR@, which is used everywhere else. This only
> bites us when $prefix has a value from configure.
I understand that, but earlier I ran configure without set prefix, then
make and make install.
The installation base directory in this case was /usr/local/, then I ran
pkcs11_startup and pkcsslotd start, finally I tried pkcsconf -t and got
the error below:
# sudo /usr/local/sbin/pkcsconf -t
Error initializing the PKCS11 library: 0x2 (CKR_HOST_MEMORY)
Rajiv helped me in this point too, and we found running strace pkcsconf
-t the follow problem:
stat("/usr/sbin/pkcsslotd", 0x7fffc4d53e90) = -1 ENOENT (No such file or
directory)
Looking into /var/log/messages we also can see:
May 24 12:08:31 oc8155576145 pkcsconf: api_interface.c C_Initialize:
Module failed to attach to shared memory. Verify that the slot
management daemon is running, errno=2
Of course I checked pkcsslotd and it was running.
Through the messages we can notice that pkcsconf is looking for
pkcsslotd in the wrong directory (since the installation base directory
is /usr/local and not /usr/)
Am I doing something wrong?
Should I start a new thread to relate this issue?
Thanks!
>> For now I did a symbolic link as workarround, but Rajiv advised me to
>> report it as a bug in this list.
> Yes, thanks for the report!
>
> Kent
>
>> I didn't prepare a patch to solve this problem cause I have doubts what
>> is the right way to do it (by change pkcs_slot script or in another file
>> where it's defined, which I believe is
>> usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
>> deeper analysis).
>>
>> Thanks!
>>
>> Mauro S M Rodrigues
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> opencryptoki-users mailing list
>> ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
>
>
|
|
From: Joy L. <la...@us...> - 2012-05-23 22:46:55
|
Hi Mauro,
Thanks! I will take a look at this first thing tomorrow and see what is
happening.
regards,
Joy
Mauro Rodrigues <mau...@li...> wrote on 05/23/2012 05:11:26
PM:
> Mauro Rodrigues <mau...@li...>
> 05/23/2012 05:11 PM
>
> To
>
> ope...@li...,
>
> cc
>
> Subject
>
> [opencryptoki-users] pkcsconf looking for token in wrong directory
>
> Hello everyone!
>
> I'm building opencryptoki from git's master branch as described below:
>
> ./configure --prefix=/usr --enable-debug --enable-testcases
> make
> make install
>
> With CCA, TPM and Software tokens enabled successfully.
> Then I ran 'pkcs11_startup' and 'pkcsslotd start' also successfully, but
> when I tried to get token information for example with 'pkcsconf -t' it
> returned me the follow message:
>
> C_GetSlotList returned 0 slots. Check that your tokens are installed
> correctly.
>
>
> With Rajiv's help we figured out a build error: pkcsconf looks for the
> token in the wrong directory, we saw that running:
>
> strace pkcsconf -t 2>&1 | grep swtok
> stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT (No such
> file or directory)
>
> The token exists in /usr/var/lib/opencryptoki/swtok instead of the
> directory above.
>
> For now I did a symbolic link as workarround, but Rajiv advised me to
> report it as a bug in this list.
>
> I didn't prepare a patch to solve this problem cause I have doubts what
> is the right way to do it (by change pkcs_slot script or in another file
> where it's defined, which I believe is
> usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
> deeper analysis).
>
> Thanks!
>
> Mauro S M Rodrigues
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> opencryptoki-users mailing list
> ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
> |
|
From: Kent Y. <shp...@gm...> - 2012-05-23 22:43:00
|
Hi Mauro,
On Wed, May 23, 2012 at 5:11 PM, Mauro Rodrigues
<mau...@li...> wrote:
> Hello everyone!
>
> I'm building opencryptoki from git's master branch as described below:
>
> ./configure --prefix=/usr --enable-debug --enable-testcases
> make
> make install
>
> With CCA, TPM and Software tokens enabled successfully.
> Then I ran 'pkcs11_startup' and 'pkcsslotd start' also successfully, but
> when I tried to get token information for example with 'pkcsconf -t' it
> returned me the follow message:
>
> C_GetSlotList returned 0 slots. Check that your tokens are installed
> correctly.
>
>
> With Rajiv's help we figured out a build error: pkcsconf looks for the
> token in the wrong directory, we saw that running:
>
> strace pkcsconf -t 2>&1 | grep swtok
> stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT (No such
> file or directory)
>
> The token exists in /usr/var/lib/opencryptoki/swtok instead of the
> directory above.
Ah yes, it looks like in pkcs11_startup.in, @localstatedir@ is used
instaed of @CONFIG_DIR@, which is used everywhere else. This only
bites us when $prefix has a value from configure.
> For now I did a symbolic link as workarround, but Rajiv advised me to
> report it as a bug in this list.
Yes, thanks for the report!
Kent
> I didn't prepare a patch to solve this problem cause I have doubts what
> is the right way to do it (by change pkcs_slot script or in another file
> where it's defined, which I believe is
> usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
> deeper analysis).
>
> Thanks!
>
> Mauro S M Rodrigues
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> opencryptoki-users mailing list
> ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
--
IBM LTC Security
|
|
From: Mauro R. <mau...@li...> - 2012-05-23 22:12:47
|
Hello everyone!
I'm building opencryptoki from git's master branch as described below:
./configure --prefix=/usr --enable-debug --enable-testcases
make
make install
With CCA, TPM and Software tokens enabled successfully.
Then I ran 'pkcs11_startup' and 'pkcsslotd start' also successfully, but
when I tried to get token information for example with 'pkcsconf -t' it
returned me the follow message:
C_GetSlotList returned 0 slots. Check that your tokens are installed
correctly.
With Rajiv's help we figured out a build error: pkcsconf looks for the
token in the wrong directory, we saw that running:
strace pkcsconf -t 2>&1 | grep swtok
stat("/var/lib/opencryptoki/swtok", 0x7ffff05c5fe0) = -1 ENOENT (No such
file or directory)
The token exists in /usr/var/lib/opencryptoki/swtok instead of the
directory above.
For now I did a symbolic link as workarround, but Rajiv advised me to
report it as a bug in this list.
I didn't prepare a patch to solve this problem cause I have doubts what
is the right way to do it (by change pkcs_slot script or in another file
where it's defined, which I believe is
usr/lib/pkcs11/soft_stdll/tok_struct.h but I didn't have time to do a
deeper analysis).
Thanks!
Mauro S M Rodrigues
|
|
From: Joy L. <la...@au...> - 2012-04-27 21:14:48
|
Opencryptoki release 2.4.2 is now available. - It contains a fix that re-factored spinlocks for shared memory. The locks reside in /var/locks/opencryptoki per token. regards, Joy |
|
From: Steve A. <sa...@go...> - 2012-02-28 21:42:12
|
I'm trying to track down a problem with opencryptoki on Ubuntu
Precise. (Precise currently has opencryptoki 2.3.1.) I'm using the
TPM module for opencryptoki. Although I can initialize the token, I
can't seem to write any objects to it.
First I initialized the token and set the PINs.
pkcsconf -I -c 0 -S 87654321
pkcsconf -P -c 0 -S 87654321 -n 111111
pkcsconf -u -c 0 -S 111111 -n 000000
This all worked fine, and pkcsconf -t -c 0 gives me this:
Token #0 Info:
Label: x
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x44D
(RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 01:25:35 PM
Now I can write an X.509 cert:
# pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0
--login --pin 000000 --write-object cert.der --type cert --id 1
Using slot 0 with a present token (0x0)
Created certificate:
Certificate Object, type = X.509 cert
label:
ID: 01
But when I try to list the objects stored in the token, I get this:
# pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0
--login --pin 000000 -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
Data object 1
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
label: <empty>
warning: PKCS11 function C_GetAttributeValue(APPLICATION) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
application: <empty>
warning: PKCS11 function C_GetAttributeValue(OBJECT_ID) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
app_id: <empty>
warning: PKCS11 function C_GetAttributeValue(MODIFIABLE) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
warning: PKCS11 function C_GetAttributeValue(PRIVATE) failed: rv =
CKR_ATTRIBUTE_SENSITIVE (0x11)
flags:
The TOK_OBJ directory is empty, so clearly the cert wasn't successfully written:
# tree /var/lib/opencryptoki/tpm
/var/lib/opencryptoki/tpm
|-- MK_SO
|-- MK_USER
|-- NVTOK.DAT
`-- root
|-- NVTOK.DAT
`-- TOK_OBJ
The duplicated NVTOK.DAT seems suspicious. The NVTOK.DAT in the
top-level directory contains that label that I gave the token (just
"x"), but root/NVTOK.DAT contains "IBM PKCS#11 TPM Token" as the
label.
Does anyone have any suggestions for how to debug this?
- Steve
|
|
From: Kent Y. <ke...@li...> - 2012-02-23 16:40:17
|
On Wed, 2012-02-22 at 13:58 -0600, Joy Latten wrote: > opencryptoki version 2.4.1 contains > - SHA256 support added for CCA token. > - Several crypto algorithm testcases refactored to include published > test vectors. > - Testcase directory restructured for future improvements. > - Allow tpm stdll to get SRK passwd and mode from new env variables. One thing to add here -- allowing any SRK password in the TPM token was probably our most requested feature, see here [1] for info on how to use it and please report any bugs. Thanks, Kent [1] http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blob;f=doc/README.tpm_stdll;h=dda0d2263cfbb3df8c65ebc64b8006e3242f6321;hb=HEAD#l58 > - Renamed spinlocks for shared memory to /var/lock dir and did > some cleanup of unused locking schemes. > - Various bugfixes and cleanup. > > regards, > Joy Latten > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Opencryptoki-tech mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech > |
|
From: Joy L. <la...@au...> - 2012-02-23 15:41:00
|
opencryptoki version 2.4.1 contains - SHA256 support added for CCA token. - Several crypto algorithm testcases refactored to include published test vectors. - Testcase directory restructured for future improvements. - Allow tpm stdll to get SRK passwd and mode from new env variables. - Renamed spinlocks for shared memory to /var/lock dir and did some cleanup of unused locking schemes. - Various bugfixes and cleanup. regards, Joy Latten |
|
From: Joy L. <la...@us...> - 2012-02-08 16:17:47
|
hmmm... I suggest trying 2 things. 1. Ensure the srk passwd is NULL. Currently, opencryptoki is hard-coded with srk passwd null. So when you do the tpm_changeownerauth and you are prompted for new srk passwd, just hit enter, and that should do it. If the srk passwd is set to something other than NULL, then when you run the tpm_tokeninit, to reset the SO pin, it will fail since opencryptoki will then be giving tpm an incorrect srk passwd. 2. As a precaution, stop your pkcsslotd daemon and then restart it. Then try tpmtoken_init. 2. If it still does not work after setting srk passwd to NULL, then you may need to manually clear out the old opencryptoki tpm data for the user. Something may be out of sync. I think on rhel 6.2, it is /var/lib/opencryptoki/tpm/<username>, where "<username>" is the uuid or username of your tpm user you want to reset. Go there and remove that user's info in /var/lib/opencryptoki/tpm/<username>. Stop and restart pkcsslotd. Now try tpm_tokeninit. regards, Joy John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 05:22:14 PM: > John Petkovsek Petkovsek <jpe...@ho...> > 02/07/2012 05:22 PM > > To > > <au...@go...> > > cc > > Joy Latten/Austin/IBM@IBMUS, opencrypto <opencryptoki- > us...@li...> > > Subject > > RE: [opencryptoki-users] (no subject) > > > I restarted tcsd and I got farther. The tpm_changeownerauth command > worked without any errrors but I still get an error when I run tpm_tokeninit: > [root@tpm2 ~]# tpmtoken_init > Warning: The TPM token has already been initialized. Reinitializing > the TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > A new TPM security officer password is needed. The password must be > between 6 and 127 characters in length. > Enter new password: > Confirm password: > C_SetPIN failed: 0x00000006 (6) > > > > > Date: Tue, 7 Feb 2012 14:24:36 -0800 > > Subject: Re: [opencryptoki-users] (no subject) > > From: au...@go... > > To: jpe...@ho... > > CC: la...@us...; ope...@li... > > > > you need to restart tcsd after replacing system.data, at the least the > > error should have changed. > > > > If you picked the wrong system.data you would get an "Invalid tag" > > error during the LoadKey command instead of "Key not found". > > > > > > august huber > > security engineer > > google.com > > pgp:0xb6a0f519 > > > > > > > > On Tue, Feb 7, 2012 at 2:11 PM, John Petkovsek Petkovsek > > <jpe...@ho...> wrote: > > > > > > /var/lib/tpm/system.data was a zero length file but copying the data from > > > the link you gave didn't make any of the error go away. > > > > > >> Date: Tue, 7 Feb 2012 13:19:14 -0800 > > > > > >> Subject: Re: [opencryptoki-users] (no subject) > > >> From: au...@go... > > >> To: la...@us... > > >> CC: jpe...@ho...; ope...@li... > > > > > >> > > >> It appears you are missing valid /var/lib/tpm/system.data reference to > > >> SRK which is setup during tpm_takeownership: copy from a known good > > >> source > > >> > > >> > > >> http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/ > trousers;a=tree;f=dist > > >> > > >> august huber > > >> security engineer > > >> google.com > > >> pgp:0xb6a0f519 > > >> > > >> > > >> > > >> On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > > >> > Hi John, > > >> > > > >> > My apologies I thought you were using the well-known passwords and had > > >> > maybe > > >> > not run > > >> > tpm_takeownership. If you already ran tpm_takeownership, then have you > > >> > tried > > >> > tpm_restrictsrk -a ? > > >> > Did you run any other tpm commands? If you could give me an > idea of what > > >> > you > > >> > did to setup, it would help. > > >> > > > >> > regards, > > >> > Joy > > >> > > > >> > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > > >> > 01:13:37 PM: > > >> > > > >> >> John Petkovsek Petkovsek <jpe...@ho...> > > >> >> 02/07/2012 01:13 PM > > >> >> > > >> >> To > > >> >> > > >> >> Joy Latten/Austin/IBM@IBMUS > > >> >> > > >> >> cc > > >> >> > > >> >> opencrypto <ope...@li...> > > >> >> > > >> >> Subject > > >> >> > > >> >> RE: [opencryptoki-users] (no subject) > > >> > > > >> > > > >> >> > > >> >> > > >> >> Yes this is a new setup. > > >> >> I ran the tpm_takeownership command but not with the -y and -z > > >> >> options ..... I entered a user password when prompted. > > >> >> Now when I try to run tpm_takeownership -y -z I get the following > > >> >> error: > > >> >> > > >> >> [root@tpm2 ~]# tpm_takeownership -y -z > > >> >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > > >> >> (8), The TPM target command has been disabled > > >> >> > > >> >> > > >> >> Subject: Re: [opencryptoki-users] (no subject) > > >> >> To: jpe...@ho... > > >> >> CC: ope...@li... > > >> >> From: la...@us... > > >> >> Date: Tue, 7 Feb 2012 12:53:30 -0600 > > >> >> > > >> >> Hi, > > >> >> > > >> >> Is this a new setup? Were these the only commands run? > > >> >> Did you take ownership of the tpm via tpm_takeownership -y -z? > > >> >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > > >> >> > > >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > > >> >> password, so you will also need to do tpm_changeownerauth -s > > >> >> --well-known. > > >> >> But you first must have ownership of the tpm. > > >> >> > > >> >> regards, > > >> >> Joy > > >> >> > > >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > > >> >> 2012 10:18:04 AM: > > >> >> > > >> >> > John Petkovsek Petkovsek <jpe...@ho...> > > >> >> > 02/07/2012 10:18 AM > > >> >> > > > >> >> > To > > >> >> > > > >> >> > <ope...@li...> > > >> >> > > > >> >> > cc > > >> >> > > > >> >> > Subject > > >> >> > > > >> >> > [opencryptoki-users] (no subject) > > >> >> > > > >> >> > > > >> >> > I get the following error when I run tpmtoken_init: > > >> >> > > > >> >> > [root@tpm2 usr]# tpmtoken_init > > >> >> > Warning: The TPM token has already been initialized. Reinitializing > > >> >> > the TPM token will cause all TPM token data to be lost. > > >> >> > Clear the TPM token data? [y/N]: y > > >> >> > Enter the TPM security officer password: > > >> >> > C_Login failed: 0x00000006 (6) > > >> >> > > > >> >> > > > >> >> > I entered the default SO password 87654321 > > >> >> > > > >> >> > > > >> >> > I tried to change the SO password using pkcsconf but that fails as > > >> >> > well: > > >> >> > > > >> >> > [root@tpm2 usr]# pkcsconf -P -c 0 > > >> >> > Enter the SO PIN: > > >> >> > Enter the new SO PIN: > > >> >> > Re-enter the new SO PIN: > > >> >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > > >> >> > > > >> >> > > > >> >> > I read it another thread that I may need to change to SRK password > > >> >> > to null but that gives me yet another error: > > >> >> > > > >> >> > [root@tpm2 usr]# tpm_changeownerauth -s > > >> >> > Enter owner password: > > >> >> > Enter new SRK password: > > >> >> > Confirm password: > > >> >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs,code=0020 > > >> >> > (32), Key not found in persistent storage > > >> >> > > > >> >> > > > >> >> > pkcsconf -t shows that the PIN need to be changed: > > >> >> > [root@tpm2 usr]# pkcsconf -t > > >> >> > Token #0 Info: > > >> >> > Label: IBM PKCS#11 TPM Token > > >> >> > Manufacturer: IBM Corp. > > >> >> > Model: TPM v1.1 Token > > >> >> > Serial Number: 123 > > >> >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > >> >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > >> >> > Sessions: 0/-2 > > >> >> > R/W Sessions: -1/-2 > > >> >> > PIN Length: 6-127 > > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > >> >> > Hardware Version: 1.0 > > >> >> > Firmware Version: 1.0 > > >> >> > Time: 10:15:11 AM > > >> >> > Token #1 Info: > > >> >> > Label: IBM OS PKCS#11 > > >> >> > Manufacturer: IBM Corp. > > >> >> > Model: IBM SoftTok > > >> >> > Serial Number: 123 > > >> >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > >> >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > >> >> > Sessions: 0/-2 > > >> >> > R/W Sessions: -1/-2 > > >> >> > PIN Length: 4-8 > > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > >> >> > Hardware Version: 1.0 > > >> >> > Firmware Version: 1.0 > > >> >> > Time: 10:15:11 AM > > >> >> > > > >> >> > > > >> >> > > > >> >> > > >> >> > > >> >> > ------------------------------------------------------------------------------ > > >> >> > Keep Your Developer Skills Current with LearnDevNow! > > >> >> > The most comprehensive online learning library for Microsoft > > >> >> > developers > > >> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, > > >> >> > MVC3, > > >> >> > Metro Style Apps, more. Free future releases when you subscribe now! > > >> >> > http://p.sf.net/sfu/learndevnow-d2d > > >> >> > _______________________________________________ > > >> >> > opencryptoki-users mailing list > > >> >> > ope...@li... > > >> >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > >> > > > >> > > > >> > > > >> > > ------------------------------------------------------------------------------ > > >> > Keep Your Developer Skills Current with LearnDevNow! > > >> > The most comprehensive online learning library for Microsoft developers > > >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, > CSS3, MVC3, > > >> > Metro Style Apps, more. Free future releases when you subscribe now! > > >> > http://p.sf.net/sfu/learndevnow-d2d > > >> > _______________________________________________ > > >> > opencryptoki-users mailing list > > >> > ope...@li... > > >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > >> > |
|
From: John P. P. <jpe...@ho...> - 2012-02-08 16:15:06
|
Yea....I finally got it working. Yesterday I used dist_system.data.noauth to fix the system.data file on my system....I just tried it using dist_system.data.auth and tpm_tokeninit worked. Thanks for your help! From: jpe...@ho... To: au...@go... Date: Tue, 7 Feb 2012 23:22:14 +0000 CC: ope...@li... Subject: Re: [opencryptoki-users] (no subject) I restarted tcsd and I got farther. The tpm_changeownerauth command worked without any errrors but I still get an error when I run tpm_tokeninit: [root@tpm2 ~]# tpmtoken_init Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: C_SetPIN failed: 0x00000006 (6) > Date: Tue, 7 Feb 2012 14:24:36 -0800 > Subject: Re: [opencryptoki-users] (no subject) > From: au...@go... > To: jpe...@ho... > CC: la...@us...; ope...@li... > > you need to restart tcsd after replacing system.data, at the least the > error should have changed. > > If you picked the wrong system.data you would get an "Invalid tag" > error during the LoadKey command instead of "Key not found". > > > august huber > security engineer > google.com > pgp:0xb6a0f519 > > > > On Tue, Feb 7, 2012 at 2:11 PM, John Petkovsek Petkovsek > <jpe...@ho...> wrote: > > > > /var/lib/tpm/system.data was a zero length file but copying the data from > > the link you gave didn't make any of the error go away. > > > >> Date: Tue, 7 Feb 2012 13:19:14 -0800 > > > >> Subject: Re: [opencryptoki-users] (no subject) > >> From: au...@go... > >> To: la...@us... > >> CC: jpe...@ho...; ope...@li... > > > >> > >> It appears you are missing valid /var/lib/tpm/system.data reference to > >> SRK which is setup during tpm_takeownership: copy from a known good > >> source > >> > >> > >> http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist > >> > >> august huber > >> security engineer > >> google.com > >> pgp:0xb6a0f519 > >> > >> > >> > >> On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > >> > Hi John, > >> > > >> > My apologies I thought you were using the well-known passwords and had > >> > maybe > >> > not run > >> > tpm_takeownership. If you already ran tpm_takeownership, then have you > >> > tried > >> > tpm_restrictsrk -a ? > >> > Did you run any other tpm commands? If you could give me an idea of what > >> > you > >> > did to setup, it would help. > >> > > >> > regards, > >> > Joy > >> > > >> > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > >> > 01:13:37 PM: > >> > > >> >> John Petkovsek Petkovsek <jpe...@ho...> > >> >> 02/07/2012 01:13 PM > >> >> > >> >> To > >> >> > >> >> Joy Latten/Austin/IBM@IBMUS > >> >> > >> >> cc > >> >> > >> >> opencrypto <ope...@li...> > >> >> > >> >> Subject > >> >> > >> >> RE: [opencryptoki-users] (no subject) > >> > > >> > > >> >> > >> >> > >> >> Yes this is a new setup. > >> >> I ran the tpm_takeownership command but not with the -y and -z > >> >> options ..... I entered a user password when prompted. > >> >> Now when I try to run tpm_takeownership -y -z I get the following > >> >> error: > >> >> > >> >> [root@tpm2 ~]# tpm_takeownership -y -z > >> >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > >> >> (8), The TPM target command has been disabled > >> >> > >> >> > >> >> Subject: Re: [opencryptoki-users] (no subject) > >> >> To: jpe...@ho... > >> >> CC: ope...@li... > >> >> From: la...@us... > >> >> Date: Tue, 7 Feb 2012 12:53:30 -0600 > >> >> > >> >> Hi, > >> >> > >> >> Is this a new setup? Were these the only commands run? > >> >> Did you take ownership of the tpm via tpm_takeownership -y -z? > >> >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > >> >> > >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > >> >> password, so you will also need to do tpm_changeownerauth -s > >> >> --well-known. > >> >> But you first must have ownership of the tpm. > >> >> > >> >> regards, > >> >> Joy > >> >> > >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > >> >> 2012 10:18:04 AM: > >> >> > >> >> > John Petkovsek Petkovsek <jpe...@ho...> > >> >> > 02/07/2012 10:18 AM > >> >> > > >> >> > To > >> >> > > >> >> > <ope...@li...> > >> >> > > >> >> > cc > >> >> > > >> >> > Subject > >> >> > > >> >> > [opencryptoki-users] (no subject) > >> >> > > >> >> > > >> >> > I get the following error when I run tpmtoken_init: > >> >> > > >> >> > [root@tpm2 usr]# tpmtoken_init > >> >> > Warning: The TPM token has already been initialized. Reinitializing > >> >> > the TPM token will cause all TPM token data to be lost. > >> >> > Clear the TPM token data? [y/N]: y > >> >> > Enter the TPM security officer password: > >> >> > C_Login failed: 0x00000006 (6) > >> >> > > >> >> > > >> >> > I entered the default SO password 87654321 > >> >> > > >> >> > > >> >> > I tried to change the SO password using pkcsconf but that fails as > >> >> > well: > >> >> > > >> >> > [root@tpm2 usr]# pkcsconf -P -c 0 > >> >> > Enter the SO PIN: > >> >> > Enter the new SO PIN: > >> >> > Re-enter the new SO PIN: > >> >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > >> >> > > >> >> > > >> >> > I read it another thread that I may need to change to SRK password > >> >> > to null but that gives me yet another error: > >> >> > > >> >> > [root@tpm2 usr]# tpm_changeownerauth -s > >> >> > Enter owner password: > >> >> > Enter new SRK password: > >> >> > Confirm password: > >> >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > >> >> > (32), Key not found in persistent storage > >> >> > > >> >> > > >> >> > pkcsconf -t shows that the PIN need to be changed: > >> >> > [root@tpm2 usr]# pkcsconf -t > >> >> > Token #0 Info: > >> >> > Label: IBM PKCS#11 TPM Token > >> >> > Manufacturer: IBM Corp. > >> >> > Model: TPM v1.1 Token > >> >> > Serial Number: 123 > >> >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 6-127 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > Token #1 Info: > >> >> > Label: IBM OS PKCS#11 > >> >> > Manufacturer: IBM Corp. > >> >> > Model: IBM SoftTok > >> >> > Serial Number: 123 > >> >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 4-8 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> >> ------------------------------------------------------------------------------ > >> >> > Keep Your Developer Skills Current with LearnDevNow! > >> >> > The most comprehensive online learning library for Microsoft > >> >> > developers > >> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, > >> >> > MVC3, > >> >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> >> > http://p.sf.net/sfu/learndevnow-d2d > >> >> > _______________________________________________ > >> >> > opencryptoki-users mailing list > >> >> > ope...@li... > >> >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Keep Your Developer Skills Current with LearnDevNow! > >> > The most comprehensive online learning library for Microsoft developers > >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> > http://p.sf.net/sfu/learndevnow-d2d > >> > _______________________________________________ > >> > opencryptoki-users mailing list > >> > ope...@li... > >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ opencryptoki-users mailing list ope...@li... https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: John P. P. <jpe...@ho...> - 2012-02-08 16:06:21
|
I also notice that when I try to run the tpm_tokeninit command I get an error logged in /var/log/messages that says: Tspi_Key_GetPubKey failed: rc=0x1 From: jpe...@ho... To: au...@go... Date: Tue, 7 Feb 2012 23:22:14 +0000 CC: ope...@li... Subject: Re: [opencryptoki-users] (no subject) I restarted tcsd and I got farther. The tpm_changeownerauth command worked without any errrors but I still get an error when I run tpm_tokeninit: [root@tpm2 ~]# tpmtoken_init Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: C_SetPIN failed: 0x00000006 (6) > Date: Tue, 7 Feb 2012 14:24:36 -0800 > Subject: Re: [opencryptoki-users] (no subject) > From: au...@go... > To: jpe...@ho... > CC: la...@us...; ope...@li... > > you need to restart tcsd after replacing system.data, at the least the > error should have changed. > > If you picked the wrong system.data you would get an "Invalid tag" > error during the LoadKey command instead of "Key not found". > > > august huber > security engineer > google.com > pgp:0xb6a0f519 > > > > On Tue, Feb 7, 2012 at 2:11 PM, John Petkovsek Petkovsek > <jpe...@ho...> wrote: > > > > /var/lib/tpm/system.data was a zero length file but copying the data from > > the link you gave didn't make any of the error go away. > > > >> Date: Tue, 7 Feb 2012 13:19:14 -0800 > > > >> Subject: Re: [opencryptoki-users] (no subject) > >> From: au...@go... > >> To: la...@us... > >> CC: jpe...@ho...; ope...@li... > > > >> > >> It appears you are missing valid /var/lib/tpm/system.data reference to > >> SRK which is setup during tpm_takeownership: copy from a known good > >> source > >> > >> > >> http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist > >> > >> august huber > >> security engineer > >> google.com > >> pgp:0xb6a0f519 > >> > >> > >> > >> On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > >> > Hi John, > >> > > >> > My apologies I thought you were using the well-known passwords and had > >> > maybe > >> > not run > >> > tpm_takeownership. If you already ran tpm_takeownership, then have you > >> > tried > >> > tpm_restrictsrk -a ? > >> > Did you run any other tpm commands? If you could give me an idea of what > >> > you > >> > did to setup, it would help. > >> > > >> > regards, > >> > Joy > >> > > >> > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > >> > 01:13:37 PM: > >> > > >> >> John Petkovsek Petkovsek <jpe...@ho...> > >> >> 02/07/2012 01:13 PM > >> >> > >> >> To > >> >> > >> >> Joy Latten/Austin/IBM@IBMUS > >> >> > >> >> cc > >> >> > >> >> opencrypto <ope...@li...> > >> >> > >> >> Subject > >> >> > >> >> RE: [opencryptoki-users] (no subject) > >> > > >> > > >> >> > >> >> > >> >> Yes this is a new setup. > >> >> I ran the tpm_takeownership command but not with the -y and -z > >> >> options ..... I entered a user password when prompted. > >> >> Now when I try to run tpm_takeownership -y -z I get the following > >> >> error: > >> >> > >> >> [root@tpm2 ~]# tpm_takeownership -y -z > >> >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > >> >> (8), The TPM target command has been disabled > >> >> > >> >> > >> >> Subject: Re: [opencryptoki-users] (no subject) > >> >> To: jpe...@ho... > >> >> CC: ope...@li... > >> >> From: la...@us... > >> >> Date: Tue, 7 Feb 2012 12:53:30 -0600 > >> >> > >> >> Hi, > >> >> > >> >> Is this a new setup? Were these the only commands run? > >> >> Did you take ownership of the tpm via tpm_takeownership -y -z? > >> >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > >> >> > >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > >> >> password, so you will also need to do tpm_changeownerauth -s > >> >> --well-known. > >> >> But you first must have ownership of the tpm. > >> >> > >> >> regards, > >> >> Joy > >> >> > >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > >> >> 2012 10:18:04 AM: > >> >> > >> >> > John Petkovsek Petkovsek <jpe...@ho...> > >> >> > 02/07/2012 10:18 AM > >> >> > > >> >> > To > >> >> > > >> >> > <ope...@li...> > >> >> > > >> >> > cc > >> >> > > >> >> > Subject > >> >> > > >> >> > [opencryptoki-users] (no subject) > >> >> > > >> >> > > >> >> > I get the following error when I run tpmtoken_init: > >> >> > > >> >> > [root@tpm2 usr]# tpmtoken_init > >> >> > Warning: The TPM token has already been initialized. Reinitializing > >> >> > the TPM token will cause all TPM token data to be lost. > >> >> > Clear the TPM token data? [y/N]: y > >> >> > Enter the TPM security officer password: > >> >> > C_Login failed: 0x00000006 (6) > >> >> > > >> >> > > >> >> > I entered the default SO password 87654321 > >> >> > > >> >> > > >> >> > I tried to change the SO password using pkcsconf but that fails as > >> >> > well: > >> >> > > >> >> > [root@tpm2 usr]# pkcsconf -P -c 0 > >> >> > Enter the SO PIN: > >> >> > Enter the new SO PIN: > >> >> > Re-enter the new SO PIN: > >> >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > >> >> > > >> >> > > >> >> > I read it another thread that I may need to change to SRK password > >> >> > to null but that gives me yet another error: > >> >> > > >> >> > [root@tpm2 usr]# tpm_changeownerauth -s > >> >> > Enter owner password: > >> >> > Enter new SRK password: > >> >> > Confirm password: > >> >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > >> >> > (32), Key not found in persistent storage > >> >> > > >> >> > > >> >> > pkcsconf -t shows that the PIN need to be changed: > >> >> > [root@tpm2 usr]# pkcsconf -t > >> >> > Token #0 Info: > >> >> > Label: IBM PKCS#11 TPM Token > >> >> > Manufacturer: IBM Corp. > >> >> > Model: TPM v1.1 Token > >> >> > Serial Number: 123 > >> >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 6-127 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > Token #1 Info: > >> >> > Label: IBM OS PKCS#11 > >> >> > Manufacturer: IBM Corp. > >> >> > Model: IBM SoftTok > >> >> > Serial Number: 123 > >> >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 4-8 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> >> ------------------------------------------------------------------------------ > >> >> > Keep Your Developer Skills Current with LearnDevNow! > >> >> > The most comprehensive online learning library for Microsoft > >> >> > developers > >> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, > >> >> > MVC3, > >> >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> >> > http://p.sf.net/sfu/learndevnow-d2d > >> >> > _______________________________________________ > >> >> > opencryptoki-users mailing list > >> >> > ope...@li... > >> >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Keep Your Developer Skills Current with LearnDevNow! > >> > The most comprehensive online learning library for Microsoft developers > >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> > http://p.sf.net/sfu/learndevnow-d2d > >> > _______________________________________________ > >> > opencryptoki-users mailing list > >> > ope...@li... > >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ opencryptoki-users mailing list ope...@li... https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: John P. P. <jpe...@ho...> - 2012-02-07 23:22:22
|
I restarted tcsd and I got farther. The tpm_changeownerauth command worked without any errrors but I still get an error when I run tpm_tokeninit: [root@tpm2 ~]# tpmtoken_init Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: C_SetPIN failed: 0x00000006 (6) > Date: Tue, 7 Feb 2012 14:24:36 -0800 > Subject: Re: [opencryptoki-users] (no subject) > From: au...@go... > To: jpe...@ho... > CC: la...@us...; ope...@li... > > you need to restart tcsd after replacing system.data, at the least the > error should have changed. > > If you picked the wrong system.data you would get an "Invalid tag" > error during the LoadKey command instead of "Key not found". > > > august huber > security engineer > google.com > pgp:0xb6a0f519 > > > > On Tue, Feb 7, 2012 at 2:11 PM, John Petkovsek Petkovsek > <jpe...@ho...> wrote: > > > > /var/lib/tpm/system.data was a zero length file but copying the data from > > the link you gave didn't make any of the error go away. > > > >> Date: Tue, 7 Feb 2012 13:19:14 -0800 > > > >> Subject: Re: [opencryptoki-users] (no subject) > >> From: au...@go... > >> To: la...@us... > >> CC: jpe...@ho...; ope...@li... > > > >> > >> It appears you are missing valid /var/lib/tpm/system.data reference to > >> SRK which is setup during tpm_takeownership: copy from a known good > >> source > >> > >> > >> http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist > >> > >> august huber > >> security engineer > >> google.com > >> pgp:0xb6a0f519 > >> > >> > >> > >> On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > >> > Hi John, > >> > > >> > My apologies I thought you were using the well-known passwords and had > >> > maybe > >> > not run > >> > tpm_takeownership. If you already ran tpm_takeownership, then have you > >> > tried > >> > tpm_restrictsrk -a ? > >> > Did you run any other tpm commands? If you could give me an idea of what > >> > you > >> > did to setup, it would help. > >> > > >> > regards, > >> > Joy > >> > > >> > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > >> > 01:13:37 PM: > >> > > >> >> John Petkovsek Petkovsek <jpe...@ho...> > >> >> 02/07/2012 01:13 PM > >> >> > >> >> To > >> >> > >> >> Joy Latten/Austin/IBM@IBMUS > >> >> > >> >> cc > >> >> > >> >> opencrypto <ope...@li...> > >> >> > >> >> Subject > >> >> > >> >> RE: [opencryptoki-users] (no subject) > >> > > >> > > >> >> > >> >> > >> >> Yes this is a new setup. > >> >> I ran the tpm_takeownership command but not with the -y and -z > >> >> options ..... I entered a user password when prompted. > >> >> Now when I try to run tpm_takeownership -y -z I get the following > >> >> error: > >> >> > >> >> [root@tpm2 ~]# tpm_takeownership -y -z > >> >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > >> >> (8), The TPM target command has been disabled > >> >> > >> >> > >> >> Subject: Re: [opencryptoki-users] (no subject) > >> >> To: jpe...@ho... > >> >> CC: ope...@li... > >> >> From: la...@us... > >> >> Date: Tue, 7 Feb 2012 12:53:30 -0600 > >> >> > >> >> Hi, > >> >> > >> >> Is this a new setup? Were these the only commands run? > >> >> Did you take ownership of the tpm via tpm_takeownership -y -z? > >> >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > >> >> > >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > >> >> password, so you will also need to do tpm_changeownerauth -s > >> >> --well-known. > >> >> But you first must have ownership of the tpm. > >> >> > >> >> regards, > >> >> Joy > >> >> > >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > >> >> 2012 10:18:04 AM: > >> >> > >> >> > John Petkovsek Petkovsek <jpe...@ho...> > >> >> > 02/07/2012 10:18 AM > >> >> > > >> >> > To > >> >> > > >> >> > <ope...@li...> > >> >> > > >> >> > cc > >> >> > > >> >> > Subject > >> >> > > >> >> > [opencryptoki-users] (no subject) > >> >> > > >> >> > > >> >> > I get the following error when I run tpmtoken_init: > >> >> > > >> >> > [root@tpm2 usr]# tpmtoken_init > >> >> > Warning: The TPM token has already been initialized. Reinitializing > >> >> > the TPM token will cause all TPM token data to be lost. > >> >> > Clear the TPM token data? [y/N]: y > >> >> > Enter the TPM security officer password: > >> >> > C_Login failed: 0x00000006 (6) > >> >> > > >> >> > > >> >> > I entered the default SO password 87654321 > >> >> > > >> >> > > >> >> > I tried to change the SO password using pkcsconf but that fails as > >> >> > well: > >> >> > > >> >> > [root@tpm2 usr]# pkcsconf -P -c 0 > >> >> > Enter the SO PIN: > >> >> > Enter the new SO PIN: > >> >> > Re-enter the new SO PIN: > >> >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > >> >> > > >> >> > > >> >> > I read it another thread that I may need to change to SRK password > >> >> > to null but that gives me yet another error: > >> >> > > >> >> > [root@tpm2 usr]# tpm_changeownerauth -s > >> >> > Enter owner password: > >> >> > Enter new SRK password: > >> >> > Confirm password: > >> >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > >> >> > (32), Key not found in persistent storage > >> >> > > >> >> > > >> >> > pkcsconf -t shows that the PIN need to be changed: > >> >> > [root@tpm2 usr]# pkcsconf -t > >> >> > Token #0 Info: > >> >> > Label: IBM PKCS#11 TPM Token > >> >> > Manufacturer: IBM Corp. > >> >> > Model: TPM v1.1 Token > >> >> > Serial Number: 123 > >> >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 6-127 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > Token #1 Info: > >> >> > Label: IBM OS PKCS#11 > >> >> > Manufacturer: IBM Corp. > >> >> > Model: IBM SoftTok > >> >> > Serial Number: 123 > >> >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> >> > Sessions: 0/-2 > >> >> > R/W Sessions: -1/-2 > >> >> > PIN Length: 4-8 > >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> >> > Hardware Version: 1.0 > >> >> > Firmware Version: 1.0 > >> >> > Time: 10:15:11 AM > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> >> ------------------------------------------------------------------------------ > >> >> > Keep Your Developer Skills Current with LearnDevNow! > >> >> > The most comprehensive online learning library for Microsoft > >> >> > developers > >> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, > >> >> > MVC3, > >> >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> >> > http://p.sf.net/sfu/learndevnow-d2d > >> >> > _______________________________________________ > >> >> > opencryptoki-users mailing list > >> >> > ope...@li... > >> >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Keep Your Developer Skills Current with LearnDevNow! > >> > The most comprehensive online learning library for Microsoft developers > >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> > http://p.sf.net/sfu/learndevnow-d2d > >> > _______________________________________________ > >> > opencryptoki-users mailing list > >> > ope...@li... > >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > >> > |
|
From: august h. <au...@go...> - 2012-02-07 22:24:43
|
you need to restart tcsd after replacing system.data, at the least the error should have changed. If you picked the wrong system.data you would get an "Invalid tag" error during the LoadKey command instead of "Key not found". august huber security engineer google.com pgp:0xb6a0f519 On Tue, Feb 7, 2012 at 2:11 PM, John Petkovsek Petkovsek <jpe...@ho...> wrote: > > /var/lib/tpm/system.data was a zero length file but copying the data from > the link you gave didn't make any of the error go away. > >> Date: Tue, 7 Feb 2012 13:19:14 -0800 > >> Subject: Re: [opencryptoki-users] (no subject) >> From: au...@go... >> To: la...@us... >> CC: jpe...@ho...; ope...@li... > >> >> It appears you are missing valid /var/lib/tpm/system.data reference to >> SRK which is setup during tpm_takeownership: copy from a known good >> source >> >> >> http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist >> >> august huber >> security engineer >> google.com >> pgp:0xb6a0f519 >> >> >> >> On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: >> > Hi John, >> > >> > My apologies I thought you were using the well-known passwords and had >> > maybe >> > not run >> > tpm_takeownership. If you already ran tpm_takeownership, then have you >> > tried >> > tpm_restrictsrk -a ? >> > Did you run any other tpm commands? If you could give me an idea of what >> > you >> > did to setup, it would help. >> > >> > regards, >> > Joy >> > >> > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 >> > 01:13:37 PM: >> > >> >> John Petkovsek Petkovsek <jpe...@ho...> >> >> 02/07/2012 01:13 PM >> >> >> >> To >> >> >> >> Joy Latten/Austin/IBM@IBMUS >> >> >> >> cc >> >> >> >> opencrypto <ope...@li...> >> >> >> >> Subject >> >> >> >> RE: [opencryptoki-users] (no subject) >> > >> > >> >> >> >> >> >> Yes this is a new setup. >> >> I ran the tpm_takeownership command but not with the -y and -z >> >> options ..... I entered a user password when prompted. >> >> Now when I try to run tpm_takeownership -y -z I get the following >> >> error: >> >> >> >> [root@tpm2 ~]# tpm_takeownership -y -z >> >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 >> >> (8), The TPM target command has been disabled >> >> >> >> >> >> Subject: Re: [opencryptoki-users] (no subject) >> >> To: jpe...@ho... >> >> CC: ope...@li... >> >> From: la...@us... >> >> Date: Tue, 7 Feb 2012 12:53:30 -0600 >> >> >> >> Hi, >> >> >> >> Is this a new setup? Were these the only commands run? >> >> Did you take ownership of the tpm via tpm_takeownership -y -z? >> >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? >> >> >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK >> >> password, so you will also need to do tpm_changeownerauth -s >> >> --well-known. >> >> But you first must have ownership of the tpm. >> >> >> >> regards, >> >> Joy >> >> >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ >> >> 2012 10:18:04 AM: >> >> >> >> > John Petkovsek Petkovsek <jpe...@ho...> >> >> > 02/07/2012 10:18 AM >> >> > >> >> > To >> >> > >> >> > <ope...@li...> >> >> > >> >> > cc >> >> > >> >> > Subject >> >> > >> >> > [opencryptoki-users] (no subject) >> >> > >> >> > >> >> > I get the following error when I run tpmtoken_init: >> >> > >> >> > [root@tpm2 usr]# tpmtoken_init >> >> > Warning: The TPM token has already been initialized. Reinitializing >> >> > the TPM token will cause all TPM token data to be lost. >> >> > Clear the TPM token data? [y/N]: y >> >> > Enter the TPM security officer password: >> >> > C_Login failed: 0x00000006 (6) >> >> > >> >> > >> >> > I entered the default SO password 87654321 >> >> > >> >> > >> >> > I tried to change the SO password using pkcsconf but that fails as >> >> > well: >> >> > >> >> > [root@tpm2 usr]# pkcsconf -P -c 0 >> >> > Enter the SO PIN: >> >> > Enter the new SO PIN: >> >> > Re-enter the new SO PIN: >> >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) >> >> > >> >> > >> >> > I read it another thread that I may need to change to SRK password >> >> > to null but that gives me yet another error: >> >> > >> >> > [root@tpm2 usr]# tpm_changeownerauth -s >> >> > Enter owner password: >> >> > Enter new SRK password: >> >> > Confirm password: >> >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 >> >> > (32), Key not found in persistent storage >> >> > >> >> > >> >> > pkcsconf -t shows that the PIN need to be changed: >> >> > [root@tpm2 usr]# pkcsconf -t >> >> > Token #0 Info: >> >> > Label: IBM PKCS#11 TPM Token >> >> > Manufacturer: IBM Corp. >> >> > Model: TPM v1.1 Token >> >> > Serial Number: 123 >> >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| >> >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >> >> > Sessions: 0/-2 >> >> > R/W Sessions: -1/-2 >> >> > PIN Length: 6-127 >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF >> >> > Hardware Version: 1.0 >> >> > Firmware Version: 1.0 >> >> > Time: 10:15:11 AM >> >> > Token #1 Info: >> >> > Label: IBM OS PKCS#11 >> >> > Manufacturer: IBM Corp. >> >> > Model: IBM SoftTok >> >> > Serial Number: 123 >> >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| >> >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >> >> > Sessions: 0/-2 >> >> > R/W Sessions: -1/-2 >> >> > PIN Length: 4-8 >> >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF >> >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF >> >> > Hardware Version: 1.0 >> >> > Firmware Version: 1.0 >> >> > Time: 10:15:11 AM >> >> > >> >> > >> >> > >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> > Keep Your Developer Skills Current with LearnDevNow! >> >> > The most comprehensive online learning library for Microsoft >> >> > developers >> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, >> >> > MVC3, >> >> > Metro Style Apps, more. Free future releases when you subscribe now! >> >> > http://p.sf.net/sfu/learndevnow-d2d >> >> > _______________________________________________ >> >> > opencryptoki-users mailing list >> >> > ope...@li... >> >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > Keep Your Developer Skills Current with LearnDevNow! >> > The most comprehensive online learning library for Microsoft developers >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >> > Metro Style Apps, more. Free future releases when you subscribe now! >> > http://p.sf.net/sfu/learndevnow-d2d >> > _______________________________________________ >> > opencryptoki-users mailing list >> > ope...@li... >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> > |
|
From: John P. P. <jpe...@ho...> - 2012-02-07 22:11:44
|
/var/lib/tpm/system.data was a zero length file but copying the data from the link you gave didn't make any of the error go away. > Date: Tue, 7 Feb 2012 13:19:14 -0800 > Subject: Re: [opencryptoki-users] (no subject) > From: au...@go... > To: la...@us... > CC: jpe...@ho...; ope...@li... > > It appears you are missing valid /var/lib/tpm/system.data reference to > SRK which is setup during tpm_takeownership: copy from a known good > source > > http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist > > august huber > security engineer > google.com > pgp:0xb6a0f519 > > > > On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > > Hi John, > > > > My apologies I thought you were using the well-known passwords and had maybe > > not run > > tpm_takeownership. If you already ran tpm_takeownership, then have you tried > > tpm_restrictsrk -a ? > > Did you run any other tpm commands? If you could give me an idea of what you > > did to setup, it would help. > > > > regards, > > Joy > > > > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > > 01:13:37 PM: > > > >> John Petkovsek Petkovsek <jpe...@ho...> > >> 02/07/2012 01:13 PM > >> > >> To > >> > >> Joy Latten/Austin/IBM@IBMUS > >> > >> cc > >> > >> opencrypto <ope...@li...> > >> > >> Subject > >> > >> RE: [opencryptoki-users] (no subject) > > > > > >> > >> > >> Yes this is a new setup. > >> I ran the tpm_takeownership command but not with the -y and -z > >> options ..... I entered a user password when prompted. > >> Now when I try to run tpm_takeownership -y -z I get the following error: > >> > >> [root@tpm2 ~]# tpm_takeownership -y -z > >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > >> (8), The TPM target command has been disabled > >> > >> > >> Subject: Re: [opencryptoki-users] (no subject) > >> To: jpe...@ho... > >> CC: ope...@li... > >> From: la...@us... > >> Date: Tue, 7 Feb 2012 12:53:30 -0600 > >> > >> Hi, > >> > >> Is this a new setup? Were these the only commands run? > >> Did you take ownership of the tpm via tpm_takeownership -y -z? > >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > >> > >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > >> password, so you will also need to do tpm_changeownerauth -s > >> --well-known. > >> But you first must have ownership of the tpm. > >> > >> regards, > >> Joy > >> > >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > >> 2012 10:18:04 AM: > >> > >> > John Petkovsek Petkovsek <jpe...@ho...> > >> > 02/07/2012 10:18 AM > >> > > >> > To > >> > > >> > <ope...@li...> > >> > > >> > cc > >> > > >> > Subject > >> > > >> > [opencryptoki-users] (no subject) > >> > > >> > > >> > I get the following error when I run tpmtoken_init: > >> > > >> > [root@tpm2 usr]# tpmtoken_init > >> > Warning: The TPM token has already been initialized. Reinitializing > >> > the TPM token will cause all TPM token data to be lost. > >> > Clear the TPM token data? [y/N]: y > >> > Enter the TPM security officer password: > >> > C_Login failed: 0x00000006 (6) > >> > > >> > > >> > I entered the default SO password 87654321 > >> > > >> > > >> > I tried to change the SO password using pkcsconf but that fails as well: > >> > > >> > [root@tpm2 usr]# pkcsconf -P -c 0 > >> > Enter the SO PIN: > >> > Enter the new SO PIN: > >> > Re-enter the new SO PIN: > >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > >> > > >> > > >> > I read it another thread that I may need to change to SRK password > >> > to null but that gives me yet another error: > >> > > >> > [root@tpm2 usr]# tpm_changeownerauth -s > >> > Enter owner password: > >> > Enter new SRK password: > >> > Confirm password: > >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > >> > (32), Key not found in persistent storage > >> > > >> > > >> > pkcsconf -t shows that the PIN need to be changed: > >> > [root@tpm2 usr]# pkcsconf -t > >> > Token #0 Info: > >> > Label: IBM PKCS#11 TPM Token > >> > Manufacturer: IBM Corp. > >> > Model: TPM v1.1 Token > >> > Serial Number: 123 > >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> > Sessions: 0/-2 > >> > R/W Sessions: -1/-2 > >> > PIN Length: 6-127 > >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> > Hardware Version: 1.0 > >> > Firmware Version: 1.0 > >> > Time: 10:15:11 AM > >> > Token #1 Info: > >> > Label: IBM OS PKCS#11 > >> > Manufacturer: IBM Corp. > >> > Model: IBM SoftTok > >> > Serial Number: 123 > >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > >> > Sessions: 0/-2 > >> > R/W Sessions: -1/-2 > >> > PIN Length: 4-8 > >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > >> > Hardware Version: 1.0 > >> > Firmware Version: 1.0 > >> > Time: 10:15:11 AM > >> > > >> > > >> > > >> > >> ------------------------------------------------------------------------------ > >> > Keep Your Developer Skills Current with LearnDevNow! > >> > The most comprehensive online learning library for Microsoft developers > >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > >> > Metro Style Apps, more. Free future releases when you subscribe now! > >> > http://p.sf.net/sfu/learndevnow-d2d > >> > _______________________________________________ > >> > opencryptoki-users mailing list > >> > ope...@li... > >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > > > > ------------------------------------------------------------------------------ > > Keep Your Developer Skills Current with LearnDevNow! > > The most comprehensive online learning library for Microsoft developers > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > > Metro Style Apps, more. Free future releases when you subscribe now! > > http://p.sf.net/sfu/learndevnow-d2d > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > |
|
From: John P. P. <jpe...@ho...> - 2012-02-07 22:08:07
|
I'm running rhel 6.2 on an ibm 3550m3 I installed the following packages: tpm-tools trousers tpm-tools-pkcs11 opencryptoki I ran: /etc/init.d/tcsd start /etc/init.d/pkcsslotd start tpm_takeownership ... I enterred passwords for the owner and srk I then tried to run tpmtoken_init but got the error: C_Login failed: 0x00000006 (6) I then tried to go back and rerun tpm_takeownership and set the srk password to null but got the error: Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled. I then tried to run tpm_changeownerauth -s to set the srk password to null but get the error: Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 (32), Key not found in persistent storage I ran tpm_restrictsrk -a after seeing your last post but it didn't help. Subject: RE: [opencryptoki-users] (no subject) To: jpe...@ho... CC: ope...@li... From: la...@us... Date: Tue, 7 Feb 2012 14:17:28 -0600 Hi John, My apologies I thought you were using the well-known passwords and had maybe not run tpm_takeownership. If you already ran tpm_takeownership, then have you tried tpm_restrictsrk -a ? Did you run any other tpm commands? If you could give me an idea of what you did to setup, it would help. regards, Joy John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 01:13:37 PM: > John Petkovsek Petkovsek <jpe...@ho...> > 02/07/2012 01:13 PM > > To > > Joy Latten/Austin/IBM@IBMUS > > cc > > opencrypto <ope...@li...> > > Subject > > RE: [opencryptoki-users] (no subject) > > > Yes this is a new setup. > I ran the tpm_takeownership command but not with the -y and -z > options ..... I entered a user password when prompted. > Now when I try to run tpm_takeownership -y -z I get the following error: > > [root@tpm2 ~]# tpm_takeownership -y -z > Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > (8), The TPM target command has been disabled > > > Subject: Re: [opencryptoki-users] (no subject) > To: jpe...@ho... > CC: ope...@li... > From: la...@us... > Date: Tue, 7 Feb 2012 12:53:30 -0600 > > Hi, > > Is this a new setup? Were these the only commands run? > Did you take ownership of the tpm via tpm_takeownership -y -z? > And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > > Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > password, so you will also need to do tpm_changeownerauth -s --well-known. > But you first must have ownership of the tpm. > > regards, > Joy > > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > 2012 10:18:04 AM: > > > John Petkovsek Petkovsek <jpe...@ho...> > > 02/07/2012 10:18 AM > > > > To > > > > <ope...@li...> > > > > cc > > > > Subject > > > > [opencryptoki-users] (no subject) > > > > > > I get the following error when I run tpmtoken_init: > > > > [root@tpm2 usr]# tpmtoken_init > > Warning: The TPM token has already been initialized. Reinitializing > > the TPM token will cause all TPM token data to be lost. > > Clear the TPM token data? [y/N]: y > > Enter the TPM security officer password: > > C_Login failed: 0x00000006 (6) > > > > > > I entered the default SO password 87654321 > > > > > > I tried to change the SO password using pkcsconf but that fails as well: > > > > [root@tpm2 usr]# pkcsconf -P -c 0 > > Enter the SO PIN: > > Enter the new SO PIN: > > Re-enter the new SO PIN: > > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > > > > > > I read it another thread that I may need to change to SRK password > > to null but that gives me yet another error: > > > > [root@tpm2 usr]# tpm_changeownerauth -s > > Enter owner password: > > Enter new SRK password: > > Confirm password: > > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > > (32), Key not found in persistent storage > > > > > > pkcsconf -t shows that the PIN need to be changed: > > [root@tpm2 usr]# pkcsconf -t > > Token #0 Info: > > Label: IBM PKCS#11 TPM Token > > Manufacturer: IBM Corp. > > Model: TPM v1.1 Token > > Serial Number: 123 > > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: 0/-2 > > R/W Sessions: -1/-2 > > PIN Length: 6-127 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 10:15:11 AM > > Token #1 Info: > > Label: IBM OS PKCS#11 > > Manufacturer: IBM Corp. > > Model: IBM SoftTok > > Serial Number: 123 > > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: 0/-2 > > R/W Sessions: -1/-2 > > PIN Length: 4-8 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 10:15:11 AM > > > > > > > ------------------------------------------------------------------------------ > > Keep Your Developer Skills Current with LearnDevNow! > > The most comprehensive online learning library for Microsoft developers > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > > Metro Style Apps, more. Free future releases when you subscribe now! > > http://p.sf.net/sfu/learndevnow-d2d > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: august h. <au...@go...> - 2012-02-07 21:19:20
|
It appears you are missing valid /var/lib/tpm/system.data reference to SRK which is setup during tpm_takeownership: copy from a known good source http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=tree;f=dist august huber security engineer google.com pgp:0xb6a0f519 On Tue, Feb 7, 2012 at 12:17 PM, Joy Latten <la...@us...> wrote: > Hi John, > > My apologies I thought you were using the well-known passwords and had maybe > not run > tpm_takeownership. If you already ran tpm_takeownership, then have you tried > tpm_restrictsrk -a ? > Did you run any other tpm commands? If you could give me an idea of what you > did to setup, it would help. > > regards, > Joy > > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 > 01:13:37 PM: > >> John Petkovsek Petkovsek <jpe...@ho...> >> 02/07/2012 01:13 PM >> >> To >> >> Joy Latten/Austin/IBM@IBMUS >> >> cc >> >> opencrypto <ope...@li...> >> >> Subject >> >> RE: [opencryptoki-users] (no subject) > > >> >> >> Yes this is a new setup. >> I ran the tpm_takeownership command but not with the -y and -z >> options ..... I entered a user password when prompted. >> Now when I try to run tpm_takeownership -y -z I get the following error: >> >> [root@tpm2 ~]# tpm_takeownership -y -z >> Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 >> (8), The TPM target command has been disabled >> >> >> Subject: Re: [opencryptoki-users] (no subject) >> To: jpe...@ho... >> CC: ope...@li... >> From: la...@us... >> Date: Tue, 7 Feb 2012 12:53:30 -0600 >> >> Hi, >> >> Is this a new setup? Were these the only commands run? >> Did you take ownership of the tpm via tpm_takeownership -y -z? >> And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? >> >> Yes, currently, it is hardcoded in opencryptoki to expect a null SRK >> password, so you will also need to do tpm_changeownerauth -s >> --well-known. >> But you first must have ownership of the tpm. >> >> regards, >> Joy >> >> John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ >> 2012 10:18:04 AM: >> >> > John Petkovsek Petkovsek <jpe...@ho...> >> > 02/07/2012 10:18 AM >> > >> > To >> > >> > <ope...@li...> >> > >> > cc >> > >> > Subject >> > >> > [opencryptoki-users] (no subject) >> > >> > >> > I get the following error when I run tpmtoken_init: >> > >> > [root@tpm2 usr]# tpmtoken_init >> > Warning: The TPM token has already been initialized. Reinitializing >> > the TPM token will cause all TPM token data to be lost. >> > Clear the TPM token data? [y/N]: y >> > Enter the TPM security officer password: >> > C_Login failed: 0x00000006 (6) >> > >> > >> > I entered the default SO password 87654321 >> > >> > >> > I tried to change the SO password using pkcsconf but that fails as well: >> > >> > [root@tpm2 usr]# pkcsconf -P -c 0 >> > Enter the SO PIN: >> > Enter the new SO PIN: >> > Re-enter the new SO PIN: >> > Error logging in: 0x6 (CKR_FUNCTION_FAILED) >> > >> > >> > I read it another thread that I may need to change to SRK password >> > to null but that gives me yet another error: >> > >> > [root@tpm2 usr]# tpm_changeownerauth -s >> > Enter owner password: >> > Enter new SRK password: >> > Confirm password: >> > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 >> > (32), Key not found in persistent storage >> > >> > >> > pkcsconf -t shows that the PIN need to be changed: >> > [root@tpm2 usr]# pkcsconf -t >> > Token #0 Info: >> > Label: IBM PKCS#11 TPM Token >> > Manufacturer: IBM Corp. >> > Model: TPM v1.1 Token >> > Serial Number: 123 >> > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| >> > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >> > Sessions: 0/-2 >> > R/W Sessions: -1/-2 >> > PIN Length: 6-127 >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF >> > Hardware Version: 1.0 >> > Firmware Version: 1.0 >> > Time: 10:15:11 AM >> > Token #1 Info: >> > Label: IBM OS PKCS#11 >> > Manufacturer: IBM Corp. >> > Model: IBM SoftTok >> > Serial Number: 123 >> > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| >> > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >> > Sessions: 0/-2 >> > R/W Sessions: -1/-2 >> > PIN Length: 4-8 >> > Public Memory: 0xFFFFFFFF/0xFFFFFFFF >> > Private Memory: 0xFFFFFFFF/0xFFFFFFFF >> > Hardware Version: 1.0 >> > Firmware Version: 1.0 >> > Time: 10:15:11 AM >> > >> > >> > >> >> ------------------------------------------------------------------------------ >> > Keep Your Developer Skills Current with LearnDevNow! >> > The most comprehensive online learning library for Microsoft developers >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >> > Metro Style Apps, more. Free future releases when you subscribe now! >> > http://p.sf.net/sfu/learndevnow-d2d >> > _______________________________________________ >> > opencryptoki-users mailing list >> > ope...@li... >> > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: Joy L. <la...@us...> - 2012-02-07 20:18:11
|
Hi John, My apologies I thought you were using the well-known passwords and had maybe not run tpm_takeownership. If you already ran tpm_takeownership, then have you tried tpm_restrictsrk -a ? Did you run any other tpm commands? If you could give me an idea of what you did to setup, it would help. regards, Joy John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 01:13:37 PM: > John Petkovsek Petkovsek <jpe...@ho...> > 02/07/2012 01:13 PM > > To > > Joy Latten/Austin/IBM@IBMUS > > cc > > opencrypto <ope...@li...> > > Subject > > RE: [opencryptoki-users] (no subject) > > > Yes this is a new setup. > I ran the tpm_takeownership command but not with the -y and -z > options ..... I entered a user password when prompted. > Now when I try to run tpm_takeownership -y -z I get the following error: > > [root@tpm2 ~]# tpm_takeownership -y -z > Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 > (8), The TPM target command has been disabled > > > Subject: Re: [opencryptoki-users] (no subject) > To: jpe...@ho... > CC: ope...@li... > From: la...@us... > Date: Tue, 7 Feb 2012 12:53:30 -0600 > > Hi, > > Is this a new setup? Were these the only commands run? > Did you take ownership of the tpm via tpm_takeownership -y -z? > And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? > > Yes, currently, it is hardcoded in opencryptoki to expect a null SRK > password, so you will also need to do tpm_changeownerauth -s --well-known. > But you first must have ownership of the tpm. > > regards, > Joy > > John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/ > 2012 10:18:04 AM: > > > John Petkovsek Petkovsek <jpe...@ho...> > > 02/07/2012 10:18 AM > > > > To > > > > <ope...@li...> > > > > cc > > > > Subject > > > > [opencryptoki-users] (no subject) > > > > > > I get the following error when I run tpmtoken_init: > > > > [root@tpm2 usr]# tpmtoken_init > > Warning: The TPM token has already been initialized. Reinitializing > > the TPM token will cause all TPM token data to be lost. > > Clear the TPM token data? [y/N]: y > > Enter the TPM security officer password: > > C_Login failed: 0x00000006 (6) > > > > > > I entered the default SO password 87654321 > > > > > > I tried to change the SO password using pkcsconf but that fails as well: > > > > [root@tpm2 usr]# pkcsconf -P -c 0 > > Enter the SO PIN: > > Enter the new SO PIN: > > Re-enter the new SO PIN: > > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > > > > > > I read it another thread that I may need to change to SRK password > > to null but that gives me yet another error: > > > > [root@tpm2 usr]# tpm_changeownerauth -s > > Enter owner password: > > Enter new SRK password: > > Confirm password: > > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > > (32), Key not found in persistent storage > > > > > > pkcsconf -t shows that the PIN need to be changed: > > [root@tpm2 usr]# pkcsconf -t > > Token #0 Info: > > Label: IBM PKCS#11 TPM Token > > Manufacturer: IBM Corp. > > Model: TPM v1.1 Token > > Serial Number: 123 > > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: 0/-2 > > R/W Sessions: -1/-2 > > PIN Length: 6-127 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 10:15:11 AM > > Token #1 Info: > > Label: IBM OS PKCS#11 > > Manufacturer: IBM Corp. > > Model: IBM SoftTok > > Serial Number: 123 > > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: 0/-2 > > R/W Sessions: -1/-2 > > PIN Length: 4-8 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 10:15:11 AM > > > > > > > ------------------------------------------------------------------------------ > > Keep Your Developer Skills Current with LearnDevNow! > > The most comprehensive online learning library for Microsoft developers > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > > Metro Style Apps, more. Free future releases when you subscribe now! > > http://p.sf.net/sfu/learndevnow-d2d > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: John P. P. <jpe...@ho...> - 2012-02-07 19:13:44
|
Yes this is a new setup. I ran the tpm_takeownership command but not with the -y and -z options ..... I entered a user password when prompted. Now when I try to run tpm_takeownership -y -z I get the following error: [root@tpm2 ~]# tpm_takeownership -y -z Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled Subject: Re: [opencryptoki-users] (no subject) To: jpe...@ho... CC: ope...@li... From: la...@us... Date: Tue, 7 Feb 2012 12:53:30 -0600 Hi, Is this a new setup? Were these the only commands run? Did you take ownership of the tpm via tpm_takeownership -y -z? And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? Yes, currently, it is hardcoded in opencryptoki to expect a null SRK password, so you will also need to do tpm_changeownerauth -s --well-known. But you first must have ownership of the tpm. regards, Joy John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 10:18:04 AM: > John Petkovsek Petkovsek <jpe...@ho...> > 02/07/2012 10:18 AM > > To > > <ope...@li...> > > cc > > Subject > > [opencryptoki-users] (no subject) > > > I get the following error when I run tpmtoken_init: > > [root@tpm2 usr]# tpmtoken_init > Warning: The TPM token has already been initialized. Reinitializing > the TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > C_Login failed: 0x00000006 (6) > > > I entered the default SO password 87654321 > > > I tried to change the SO password using pkcsconf but that fails as well: > > [root@tpm2 usr]# pkcsconf -P -c 0 > Enter the SO PIN: > Enter the new SO PIN: > Re-enter the new SO PIN: > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > > > I read it another thread that I may need to change to SRK password > to null but that gives me yet another error: > > [root@tpm2 usr]# tpm_changeownerauth -s > Enter owner password: > Enter new SRK password: > Confirm password: > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > (32), Key not found in persistent storage > > > pkcsconf -t shows that the PIN need to be changed: > [root@tpm2 usr]# pkcsconf -t > Token #0 Info: > Label: IBM PKCS#11 TPM Token > Manufacturer: IBM Corp. > Model: TPM v1.1 Token > Serial Number: 123 > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: 0/-2 > R/W Sessions: -1/-2 > PIN Length: 6-127 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 10:15:11 AM > Token #1 Info: > Label: IBM OS PKCS#11 > Manufacturer: IBM Corp. > Model: IBM SoftTok > Serial Number: 123 > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: 0/-2 > R/W Sessions: -1/-2 > PIN Length: 4-8 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 10:15:11 AM > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: Joy L. <la...@us...> - 2012-02-07 18:53:44
|
Hi, Is this a new setup? Were these the only commands run? Did you take ownership of the tpm via tpm_takeownership -y -z? And allow SRK read access using SRK auth via tpm_restrictsrk -a -z ? Yes, currently, it is hardcoded in opencryptoki to expect a null SRK password, so you will also need to do tpm_changeownerauth -s --well-known. But you first must have ownership of the tpm. regards, Joy John Petkovsek Petkovsek <jpe...@ho...> wrote on 02/07/2012 10:18:04 AM: > John Petkovsek Petkovsek <jpe...@ho...> > 02/07/2012 10:18 AM > > To > > <ope...@li...> > > cc > > Subject > > [opencryptoki-users] (no subject) > > > I get the following error when I run tpmtoken_init: > > [root@tpm2 usr]# tpmtoken_init > Warning: The TPM token has already been initialized. Reinitializing > the TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > C_Login failed: 0x00000006 (6) > > > I entered the default SO password 87654321 > > > I tried to change the SO password using pkcsconf but that fails as well: > > [root@tpm2 usr]# pkcsconf -P -c 0 > Enter the SO PIN: > Enter the new SO PIN: > Re-enter the new SO PIN: > Error logging in: 0x6 (CKR_FUNCTION_FAILED) > > > I read it another thread that I may need to change to SRK password > to null but that gives me yet another error: > > [root@tpm2 usr]# tpm_changeownerauth -s > Enter owner password: > Enter new SRK password: > Confirm password: > Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 > (32), Key not found in persistent storage > > > pkcsconf -t shows that the PIN need to be changed: > [root@tpm2 usr]# pkcsconf -t > Token #0 Info: > Label: IBM PKCS#11 TPM Token > Manufacturer: IBM Corp. > Model: TPM v1.1 Token > Serial Number: 123 > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: 0/-2 > R/W Sessions: -1/-2 > PIN Length: 6-127 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 10:15:11 AM > Token #1 Info: > Label: IBM OS PKCS#11 > Manufacturer: IBM Corp. > Model: IBM SoftTok > Serial Number: 123 > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN| > USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: 0/-2 > R/W Sessions: -1/-2 > PIN Length: 4-8 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 10:15:11 AM > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: John P. P. <jpe...@ho...> - 2012-02-07 16:18:14
|
I get the following error when I run tpmtoken_init:
[root@tpm2 usr]# tpmtoken_init
Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost.
Clear the TPM token data? [y/N]: y
Enter the TPM security officer password:
C_Login failed: 0x00000006 (6)
I entered the default SO password 87654321
I tried to change the SO password using pkcsconf but that fails as well:
[root@tpm2 usr]# pkcsconf -P -c 0
Enter the SO PIN:
Enter the new SO PIN:
Re-enter the new SO PIN:
Error logging in: 0x6 (CKR_FUNCTION_FAILED)
I read it another thread that I may need to change to SRK password to null but that gives me yet another error:
[root@tpm2 usr]# tpm_changeownerauth -s
Enter owner password:
Enter new SRK password:
Confirm password:
Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 (32), Key not found in persistent storage
pkcsconf -t shows that the PIN need to be changed:
[root@tpm2 usr]# pkcsconf -t
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/-2
R/W Sessions: -1/-2
PIN Length: 6-127
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 10:15:11 AM
Token #1 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/-2
R/W Sessions: -1/-2
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 10:15:11 AM
|
|
From: Joy L. <la...@au...> - 2011-05-18 16:13:51
|
Opencryptoki version 2.4 contains support for Elliptic curve cryptography (ECC) and AES Counter mode (AES-CTR). Much cleanup and bugfixes have been done; object and session handling are now done via binary trees and debug messages logged to a file identified by user. regards, Joy |
144 messages has been excluded from this view by a project administrator.
