opencryptoki-users Mailing List for openCryptoki (Page 4)
Brought to you by:
ebarretto
Menu
▾
▴
opencryptoki-users — Discuss usage of the PKCS#11 API and App development
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(8) |
Jul
(5) |
Aug
(5) |
Sep
(2) |
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(7) |
Feb
(5) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
(8) |
Dec
(3) |
| 2007 |
Jan
(14) |
Feb
|
Mar
|
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(10) |
Dec
(6) |
| 2008 |
Jan
(2) |
Feb
|
Mar
(5) |
Apr
(6) |
May
(3) |
Jun
(6) |
Jul
(10) |
Aug
(4) |
Sep
(17) |
Oct
(13) |
Nov
(43) |
Dec
(72) |
| 2009 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(23) |
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
|
| 2011 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(15) |
Mar
|
Apr
(1) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(6) |
Oct
|
Nov
(1) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(5) |
Jun
(1) |
Jul
|
Aug
|
Sep
(4) |
Oct
(2) |
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
|
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2019 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Kent Y. <shp...@gm...> - 2011-01-18 16:12:18
|
> So I am a bit stumped as to what the difference might be that causes this. > I'm just wondering how to debug it further. I.e. what opencryptoki > trace/logging capability is there and how to switch it on on the Linux > s390 platform? Hi Simon, to trace, compile opencryptoki after doing ./configure --enable-debug, then before running your app, export PKCS11_API_LOG_DEBUG=1 into your environment. There should be some debugging echoed to /var/log/messages. Which token are you using? In order for opencryptoki to see a new token, there must be an entry in /var/lib/opencryptoki/pk_config_data for it, which will point pkcsslotd to a shared object for the token. pk_config_data is filled out by pkcs11_startup, which should be re-run after installing a new token. Kent > Thanks, > > Simon McMahon > IBM > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: Simon M. <smc...@au...> - 2011-01-12 23:37:10
|
Hi,
I am chasing a problem with an application that cannot see the slots
through an opencryptoki lib for a CEX3 smart card implementation. Other
applications work fine with it so the smart card and opencryptoki lib work
fine most of the time with other apps on the same platform. When this
particular application asks for the slot list it gets told there are no
slots.
Here is a trace of the calls made (all are returning CKR_OK btw) :
->C_GetFunctionList(ppFunctionList=0x80e4ae90)
Size-Of(FunctionList) : 552, Size-Of(CK_VERSION) : 2
Size-Of(FunctionListPart): 550, Size-Of(1 Function) : 8, # Functions:
68
->C_Initialize(pInitArgs=0xffca55b0)
CreateMutex: (nil), DestroyMutex (nil), LockMutex (nil),
UnlockMutex: (nil)
flags 0x2, pReserved (nil)
->C_GetInfo(pInfo=0xffca5558)
** INFO ** cryptokiVersion V 2.11
** INFO ** libraryVersion V 2.2
** INFO ** flags 0x0
** INFO ** libraryDescription Meta PKCS11 LIBRARY
** INFO ** manufacturerID IBM
->C_GetSlotList(onlyPresentTokens?=0, pSlotList=0x0, pSlotCount=0xffca5d18
[0])
** WARN ** No slots returned!
So it doesn't get very far. Other applications when traced return 1 slot
and continue normally like this:
->C_GetSlotList(onlyPresentTokens?=0, pSlotList=0x0, pSlotCount=0xfff150b8
[0])
** INFO ** count=1
->C_GetSlotList(onlyPresentTokens?=0, pSlotList=0x80023500,
pSlotCount=0xfff150b8 [1])
** INFO ** count=1
** INFO ** slotId=0
->C_GetSlotInfo(slotID=0, pSlotInfo=0xfff14f20)
...
The apps that work are pretty simple apps that only link to the p11 lib.
The one that fails links to a shared lib which then loads the p11 lib.
They both use "dlopen(libPath, RTLD_NOW|RTLD_GLOBAL);" to load the lib.
There are no prior calls to the p11 lib other than what is in the traces
above.
So I am a bit stumped as to what the difference might be that causes this.
I'm just wondering how to debug it further. I.e. what opencryptoki
trace/logging capability is there and how to switch it on on the Linux
s390 platform?
Thanks,
Simon McMahon
IBM
|
|
From: Klaus H. K. <kl...@li...> - 2010-11-26 20:22:54
|
On Thu, 25 Nov 2010 11:42:43 +0000 "John T. Bittner" <jo...@xa...> wrote: > Hi Klaus, > > Please understand that I am new to this, so thanks for helping and being patient with me. > From what I read the Sun Crypto Accelerator is included with opencryptoki and is what sun supports to offload normal SSL http Traffic off the host CPU. > It looks to me that this card is designed to offload the software encryption done by openSSL to the Card to increase SSL traffic performance. > > My voip application uses OpenSSL for its TLS SIP connections and from what I understand OpenSSL also handles the SRTP AES encryption for the audio. > > Am I way off on how I think it works? > > > You talked about software (OpenSSL based) token. Can you explain that in more detail what your mean? > I thought opencryptoki was the API that openSSL would use when it detected it installed.???? > > Also if you know of any other PCI cards that would do what I am looking to do, let me know. I am not tied to the sun card. > > I would be willing to pay to get this up and working with my application if your think it can be done. > > Let me know > > Thanks > > John Bittner John, I'm not aware of any Sun product including opencryptoki, or like I said, opencryptoki supporting any hardware other than TPM and IBM hardware. Also, Opencryptoki doesn't directly work with OpenSSL applications. Opencryptoki is a PKCS#11 implementation, OpenSSL is another API. I have the impression that you might be mixing project names here. I think the best is to check with your hardware vendor again. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc > > > > > > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Thursday, November 25, 2010 6:07 AM > To: John T. Bittner > Cc: ope...@li... > Subject: Re: [opencryptoki-users] SRTP offload > > On Thu, 25 Nov 2010 07:13:32 +0000 > "John T. Bittner" <jo...@xa...> wrote: > > > Hi Guys, > > > > I am looking to find out if opencryptoki can support offloading Secure RTP and TLS for a voip project I am working on. > > I was looking to use a Sun Crypto Accelerator 6000 Board in an AMD Server running Linux. > > If it is supported, is the offloading transparent to the application or does the application need to be linked to opencryptoki. > > > > Any help on this is much appreciated. > > John, > > Currently opencryptoki supports 3 hardware token types, in addition to it's software (OpenSSL based) token: > > * The ICA token, supporting Clear-Key operations for CEX2A and CEX3A cards (System z) > * The CCA token, supporting Secure-Key operations for CEX2C and CEX3C cards (also System z) > * The TPM token, where the key hierarchy and some operations can be done via a Trusted Platform Module (multiple architectures). > > There are other "legacy" token types in the tree (bcom, aep, etc) but it's been a long time since they are un-maintained. > > I don't believe that the Sun Crypto Accelerator maps to any of those, but patches are (very) welcome. > > > As to being "transparent" to the application, the application just needs to support exploiting PKCS#11 tokens. How this is done and what can be off-loaded is very application-specific. > > For more info about the PKCS#11 standard: > http://www.rsa.com/rsalabs/node.asp?id=2133 > > -Klaus > > -- > Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com > Open Source Security blog : http://www.ratliff.net/blog > IBM Linux Technology Center : http://www.ibm.com/linux/ltc > > |
|
From: Klaus H. K. <kl...@li...> - 2010-11-25 11:06:51
|
On Thu, 25 Nov 2010 07:13:32 +0000 "John T. Bittner" <jo...@xa...> wrote: > Hi Guys, > > I am looking to find out if opencryptoki can support offloading Secure RTP and TLS for a voip project I am working on. > I was looking to use a Sun Crypto Accelerator 6000 Board in an AMD Server running Linux. > If it is supported, is the offloading transparent to the application or does the application need to be linked to opencryptoki. > > Any help on this is much appreciated. John, Currently opencryptoki supports 3 hardware token types, in addition to it's software (OpenSSL based) token: * The ICA token, supporting Clear-Key operations for CEX2A and CEX3A cards (System z) * The CCA token, supporting Secure-Key operations for CEX2C and CEX3C cards (also System z) * The TPM token, where the key hierarchy and some operations can be done via a Trusted Platform Module (multiple architectures). There are other "legacy" token types in the tree (bcom, aep, etc) but it's been a long time since they are un-maintained. I don't believe that the Sun Crypto Accelerator maps to any of those, but patches are (very) welcome. As to being "transparent" to the application, the application just needs to support exploiting PKCS#11 tokens. How this is done and what can be off-loaded is very application-specific. For more info about the PKCS#11 standard: http://www.rsa.com/rsalabs/node.asp?id=2133 -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Sam Q. <qu...@em...> - 2010-11-11 20:05:57
|
On Nov 11, 2010, at 10:24 AM, Klaus Heinrich Kiwi wrote: > Sam: > > The TPM token requires the SRK Auth to be "NULL", which is *different* from the "well-known password", a sequence 0x00 bytes with size 20 > > So I actually got past the intialization if I change the SRK password to NULL (simply press enter at tpm_changeownerauth -s -z) and re-initialize the token with tpmtoken_init (use 87654321 for SO password). Aha! Yes, that was exactly the problem. It seems to work perfectly — thanks! -sq |
|
From: Klaus H. K. <kl...@li...> - 2010-11-11 18:25:13
|
On Thu, 11 Nov 2010 11:42:30 -0600 Kent Yoder <ke...@li...> wrote: > > I built the latest opencryptoki code with --enable-debug, and it seems that something is wrong with trousers? Adding Kent and Rajiv. > > > > [klausk@localhost opencryptoki]$ tpmtoken_init > > Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. > > Clear the TPM token data? [y/N]: y > > Enter the TPM security officer password: > > LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! > > LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! > > A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. > > Enter new password: > > Confirm password: > > LOG_ERR TPM_STDLL tpm_specific.c:315 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 > > LOG_ERR TPM_STDLL tpm_specific.c:1218 ERROR: token_wrap_sw_key failed. rc=0x1 > > LOG_ERR TPM_STDLL tpm_specific.c:1888 ERROR: FAILED creating SO tree. > > This looks like a bad SRK password... Yeah both Rajiv and you are right. I think I've been bitten by this more than one now. Sam: The TPM token requires the SRK Auth to be "NULL", which is *different* from the "well-known password", a sequence 0x00 bytes with size 20 So I actually got past the intialization if I change the SRK password to NULL (simply press enter at tpm_changeownerauth -s -z) and re-initialize the token with tpmtoken_init (use 87654321 for SO password). Here's the output (ignore the debugging stuff): [klausk@localhost opencryptoki]$ tpm_changeownerauth -s -z -l debug Tspi_Context_Create success Tspi_Context_Connect success Tspi_Context_GetTpmObject success Tspi_GetPolicyObject success Tspi_Policy_SetSecret success Changing password for: SRK. Enter new SRK password: Confirm password: Tspi_Context_CreateObject success Tspi_Policy_SetSecret success Tspi_Context_LoadKeyByUUID success Tspi_ChangeAuth success Change of SRK password successful. Tspi_Context_FreeMemory success Tspi_Context_Close success [klausk@localhost opencryptoki]$ tpmtoken_init Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PRIVATE ROOT KEY" not found in the store! A new TPM user password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: [klausk@localhost opencryptoki]$ Thanks Kent and Rajiv! -Klaus > > Kent > > > ST MSG TPM_STDLL new_host.c:1224 whammy > > C_SetPIN failed: 0x00000006 (6) > > [klausk@localhost opencryptoki]$ > > > > > > Note that the "default" SO PIN (87654321) apparently allows tpmtoken_init to log in fine, problem is really with C_SetPin(). > > > > -Klaus > > > > > > > > > > After running tpmtoken_init, the token does seem to be initialized, but pkcsconf -t reports that the SO and user PINs still need to be changed: > > > > > > Token #0 Info: > > > Label: IBM PKCS#11 TPM Token > > > Manufacturer: IBM Corp. > > > Model: TPM v1.1 Token > > > Serial Number: 123 > > > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > > Sessions: -1/-1 > > > R/W Sessions: -1/-1 > > > PIN Length: 6-127 > > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > > Hardware Version: 1.0 > > > Firmware Version: 1.0 > > > Time: 12:36:12 AM > > > Token #1 Info: > > > Label: IBM OS PKCS#11 > > > Manufacturer: IBM Corp. > > > Model: IBM SoftTok > > > Serial Number: 123 > > > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > > Sessions: -1/-1 > > > R/W Sessions: -1/-1 > > > PIN Length: 4-8 > > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > > Hardware Version: 1.0 > > > Firmware Version: 1.0 > > > Time: 12:36:12 AM > > > > > > When I run pkcsconf -P, I get a similar error: > > > > > > Enter the SO PIN: ******** > > > Enter the new SO PIN: ******** > > > Re-enter the new SO PIN: ******** > > > Error setting PIN: 0x6 > > > > > > I've tried a number of different things, and looked for answers in a number of places, but I haven't found anything that works yet. These are the steps I'm taking to initialize the TPM, TrouSerS, and openCryptoki: > > > > > > - sudo /sbin/modprobe tpm-tis > > > - sudo tcsd -f > > > - check: tpm_version should work > > > - sudo tpm_takeownership -y -z > > > - sudo tpm_createek (necessary? returns an error: "The TPM target command has been disabled") > > > - check: sudo tpm_getpubek -z should return a key > > > - sudo tpm_changeownerauth -o -r -z -l debug (necessary?) > > > - sudo tpm_changeownerauth -s -r -z -l debug (?) > > > - sudo tpm_restrictsrk -a -z > > > - check: sudo tpm_restrictsrk -s -z (should be readable w SRK auth) > > > > > > - sudo rm -rf /usr/local/var/lib/opencryptoki/* > > > - sudo /usr/local/etc/rc.d/init.d/pkcsslotd start > > > - check: ps uaxw | grep pkcsslotd > > > - check sudo pkcsconf -t > > > > > > - sudo tpmtoken_init -l debug > > > > > > I'm using the following versions, all installed from source: > > > - tpm-tools-1.3.5 > > > - trousers-0.3.6 > > > - opencryptoki-2.3.2 > > > > > > This is on a CentOS 5.5 box, and the kernel reports itself as 2.6.18-194.17.4.el5. The tpm_* commands seem to work, and tpm_version reports: > > > > > > TPM 1.2 Version Info: > > > Chip Version: 1.2.7.0 > > > Spec Level: 2 > > > Errata Revision: 2 > > > TPM Vendor ID: STM > > > TPM Version: 01010000 > > > Manufacturer Info: 53544d20 > > > > > > I don't know precisely what kind of chip that is, but this is a standard, recent Dell box (PE610, I believe). > > > > > > So. What am I doing wrong? > > > > > > Thanks! > > > -sq > > > > > > > > > > > -- > > Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com > > Open Source Security blog : http://www.ratliff.net/blog > > IBM Linux Technology Center : http://www.ibm.com/linux/ltc -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Rajiv A. <sr...@li...> - 2010-11-11 18:13:25
|
How is the token handling the SRK well-known password? Null of 20 bytes of 0x00? --- Rajiv Andrade Security Development IBM Linux Technology Center On 11/11/2010, at 15:42, Kent Yoder wrote: >> I built the latest opencryptoki code with --enable-debug, and it seems that something is wrong with trousers? Adding Kent and Rajiv. >> >> [klausk@localhost opencryptoki]$ tpmtoken_init >> Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. >> Clear the TPM token data? [y/N]: y >> Enter the TPM security officer password: >> LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! >> LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! >> A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. >> Enter new password: >> Confirm password: >> LOG_ERR TPM_STDLL tpm_specific.c:315 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 >> LOG_ERR TPM_STDLL tpm_specific.c:1218 ERROR: token_wrap_sw_key failed. rc=0x1 >> LOG_ERR TPM_STDLL tpm_specific.c:1888 ERROR: FAILED creating SO tree. > > This looks like a bad SRK password... > > Kent > >> ST MSG TPM_STDLL new_host.c:1224 whammy >> C_SetPIN failed: 0x00000006 (6) >> [klausk@localhost opencryptoki]$ >> >> >> Note that the "default" SO PIN (87654321) apparently allows tpmtoken_init to log in fine, problem is really with C_SetPin(). >> >> -Klaus >> >> >>> >>> After running tpmtoken_init, the token does seem to be initialized, but pkcsconf -t reports that the SO and user PINs still need to be changed: >>> >>> Token #0 Info: >>> Label: IBM PKCS#11 TPM Token >>> Manufacturer: IBM Corp. >>> Model: TPM v1.1 Token >>> Serial Number: 123 >>> Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >>> Sessions: -1/-1 >>> R/W Sessions: -1/-1 >>> PIN Length: 6-127 >>> Public Memory: 0xFFFFFFFF/0xFFFFFFFF >>> Private Memory: 0xFFFFFFFF/0xFFFFFFFF >>> Hardware Version: 1.0 >>> Firmware Version: 1.0 >>> Time: 12:36:12 AM >>> Token #1 Info: >>> Label: IBM OS PKCS#11 >>> Manufacturer: IBM Corp. >>> Model: IBM SoftTok >>> Serial Number: 123 >>> Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) >>> Sessions: -1/-1 >>> R/W Sessions: -1/-1 >>> PIN Length: 4-8 >>> Public Memory: 0xFFFFFFFF/0xFFFFFFFF >>> Private Memory: 0xFFFFFFFF/0xFFFFFFFF >>> Hardware Version: 1.0 >>> Firmware Version: 1.0 >>> Time: 12:36:12 AM >>> >>> When I run pkcsconf -P, I get a similar error: >>> >>> Enter the SO PIN: ******** >>> Enter the new SO PIN: ******** >>> Re-enter the new SO PIN: ******** >>> Error setting PIN: 0x6 >>> >>> I've tried a number of different things, and looked for answers in a number of places, but I haven't found anything that works yet. These are the steps I'm taking to initialize the TPM, TrouSerS, and openCryptoki: >>> >>> - sudo /sbin/modprobe tpm-tis >>> - sudo tcsd -f >>> - check: tpm_version should work >>> - sudo tpm_takeownership -y -z >>> - sudo tpm_createek (necessary? returns an error: "The TPM target command has been disabled") >>> - check: sudo tpm_getpubek -z should return a key >>> - sudo tpm_changeownerauth -o -r -z -l debug (necessary?) >>> - sudo tpm_changeownerauth -s -r -z -l debug (?) >>> - sudo tpm_restrictsrk -a -z >>> - check: sudo tpm_restrictsrk -s -z (should be readable w SRK auth) >>> >>> - sudo rm -rf /usr/local/var/lib/opencryptoki/* >>> - sudo /usr/local/etc/rc.d/init.d/pkcsslotd start >>> - check: ps uaxw | grep pkcsslotd >>> - check sudo pkcsconf -t >>> >>> - sudo tpmtoken_init -l debug >>> >>> I'm using the following versions, all installed from source: >>> - tpm-tools-1.3.5 >>> - trousers-0.3.6 >>> - opencryptoki-2.3.2 >>> >>> This is on a CentOS 5.5 box, and the kernel reports itself as 2.6.18-194.17.4.el5. The tpm_* commands seem to work, and tpm_version reports: >>> >>> TPM 1.2 Version Info: >>> Chip Version: 1.2.7.0 >>> Spec Level: 2 >>> Errata Revision: 2 >>> TPM Vendor ID: STM >>> TPM Version: 01010000 >>> Manufacturer Info: 53544d20 >>> >>> I don't know precisely what kind of chip that is, but this is a standard, recent Dell box (PE610, I believe). >>> >>> So. What am I doing wrong? >>> >>> Thanks! >>> -sq >>> >> >> >> >> -- >> Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com >> Open Source Security blog : http://www.ratliff.net/blog >> IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Kent Y. <ke...@li...> - 2010-11-11 17:42:43
|
> I built the latest opencryptoki code with --enable-debug, and it seems that something is wrong with trousers? Adding Kent and Rajiv. > > [klausk@localhost opencryptoki]$ tpmtoken_init > Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! > A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. > Enter new password: > Confirm password: > LOG_ERR TPM_STDLL tpm_specific.c:315 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1218 ERROR: token_wrap_sw_key failed. rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1888 ERROR: FAILED creating SO tree. This looks like a bad SRK password... Kent > ST MSG TPM_STDLL new_host.c:1224 whammy > C_SetPIN failed: 0x00000006 (6) > [klausk@localhost opencryptoki]$ > > > Note that the "default" SO PIN (87654321) apparently allows tpmtoken_init to log in fine, problem is really with C_SetPin(). > > -Klaus > > > > > > After running tpmtoken_init, the token does seem to be initialized, but pkcsconf -t reports that the SO and user PINs still need to be changed: > > > > Token #0 Info: > > Label: IBM PKCS#11 TPM Token > > Manufacturer: IBM Corp. > > Model: TPM v1.1 Token > > Serial Number: 123 > > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: -1/-1 > > R/W Sessions: -1/-1 > > PIN Length: 6-127 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 12:36:12 AM > > Token #1 Info: > > Label: IBM OS PKCS#11 > > Manufacturer: IBM Corp. > > Model: IBM SoftTok > > Serial Number: 123 > > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: -1/-1 > > R/W Sessions: -1/-1 > > PIN Length: 4-8 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 12:36:12 AM > > > > When I run pkcsconf -P, I get a similar error: > > > > Enter the SO PIN: ******** > > Enter the new SO PIN: ******** > > Re-enter the new SO PIN: ******** > > Error setting PIN: 0x6 > > > > I've tried a number of different things, and looked for answers in a number of places, but I haven't found anything that works yet. These are the steps I'm taking to initialize the TPM, TrouSerS, and openCryptoki: > > > > - sudo /sbin/modprobe tpm-tis > > - sudo tcsd -f > > - check: tpm_version should work > > - sudo tpm_takeownership -y -z > > - sudo tpm_createek (necessary? returns an error: "The TPM target command has been disabled") > > - check: sudo tpm_getpubek -z should return a key > > - sudo tpm_changeownerauth -o -r -z -l debug (necessary?) > > - sudo tpm_changeownerauth -s -r -z -l debug (?) > > - sudo tpm_restrictsrk -a -z > > - check: sudo tpm_restrictsrk -s -z (should be readable w SRK auth) > > > > - sudo rm -rf /usr/local/var/lib/opencryptoki/* > > - sudo /usr/local/etc/rc.d/init.d/pkcsslotd start > > - check: ps uaxw | grep pkcsslotd > > - check sudo pkcsconf -t > > > > - sudo tpmtoken_init -l debug > > > > I'm using the following versions, all installed from source: > > - tpm-tools-1.3.5 > > - trousers-0.3.6 > > - opencryptoki-2.3.2 > > > > This is on a CentOS 5.5 box, and the kernel reports itself as 2.6.18-194.17.4.el5. The tpm_* commands seem to work, and tpm_version reports: > > > > TPM 1.2 Version Info: > > Chip Version: 1.2.7.0 > > Spec Level: 2 > > Errata Revision: 2 > > TPM Vendor ID: STM > > TPM Version: 01010000 > > Manufacturer Info: 53544d20 > > > > I don't know precisely what kind of chip that is, but this is a standard, recent Dell box (PE610, I believe). > > > > So. What am I doing wrong? > > > > Thanks! > > -sq > > > > > > -- > Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com > Open Source Security blog : http://www.ratliff.net/blog > IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Klaus H. K. <kl...@li...> - 2010-11-11 17:34:21
|
On Sun, 7 Nov 2010 16:38:55 -0800 Sam Quigley <qu...@em...> wrote: > Hi, > > I'm trying to use openCryptoki as a PKCS#11 interface to TrouSerS and an onboard TPM chip. However, I can't seem to get things working properly. I'm hoping someone here can point out what I'm doing wrong… > > Briefly, the problem seems to be that I can't change the SO PIN on the TPM Token. When I try to run tpmtoken_init, it reports an error: > > $ sudo tpmtoken_init -l debug > C_GetFunctionList success > C_Initialize success > C_GetSlotList success > Slots present: 2 > C_GetSlotList success > Retrieving slot information for SlotID 0 > C_GetSlotInfo success > Slot description: Linux 2.6.18-194.17.4.el5 Linux (TPM) > Slot manufacturer: Linux 2.6.18-194.17.4.el5 > Token is present > Retrieving token information for SlotID 0 > C_GetTokenInfo success > Token Label: IBM PKCS#11 TPM Token > Token manufacturer: IBM Corp. > Token model: TPM v1.1 Token > Token is initialized > Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > C_InitToken success > C_OpenSession success > C_Login success > A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. > Enter new password: > Confirm password: > C_SetPIN failed: 0x00000006 (6) > C_CloseSession success > C_Finalize success > tpmtoken_init failed I built the latest opencryptoki code with --enable-debug, and it seems that something is wrong with trousers? Adding Kent and Rajiv. [klausk@localhost opencryptoki]$ tpmtoken_init Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_ERR TPM_STDLL tpm_specific.c:208 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: LOG_ERR TPM_STDLL tpm_specific.c:315 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1218 ERROR: token_wrap_sw_key failed. rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1888 ERROR: FAILED creating SO tree. ST MSG TPM_STDLL new_host.c:1224 whammy C_SetPIN failed: 0x00000006 (6) [klausk@localhost opencryptoki]$ Note that the "default" SO PIN (87654321) apparently allows tpmtoken_init to log in fine, problem is really with C_SetPin(). -Klaus > > After running tpmtoken_init, the token does seem to be initialized, but pkcsconf -t reports that the SO and user PINs still need to be changed: > > Token #0 Info: > Label: IBM PKCS#11 TPM Token > Manufacturer: IBM Corp. > Model: TPM v1.1 Token > Serial Number: 123 > Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: -1/-1 > R/W Sessions: -1/-1 > PIN Length: 6-127 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 12:36:12 AM > Token #1 Info: > Label: IBM OS PKCS#11 > Manufacturer: IBM Corp. > Model: IBM SoftTok > Serial Number: 123 > Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: -1/-1 > R/W Sessions: -1/-1 > PIN Length: 4-8 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 12:36:12 AM > > When I run pkcsconf -P, I get a similar error: > > Enter the SO PIN: ******** > Enter the new SO PIN: ******** > Re-enter the new SO PIN: ******** > Error setting PIN: 0x6 > > I've tried a number of different things, and looked for answers in a number of places, but I haven't found anything that works yet. These are the steps I'm taking to initialize the TPM, TrouSerS, and openCryptoki: > > - sudo /sbin/modprobe tpm-tis > - sudo tcsd -f > - check: tpm_version should work > - sudo tpm_takeownership -y -z > - sudo tpm_createek (necessary? returns an error: "The TPM target command has been disabled") > - check: sudo tpm_getpubek -z should return a key > - sudo tpm_changeownerauth -o -r -z -l debug (necessary?) > - sudo tpm_changeownerauth -s -r -z -l debug (?) > - sudo tpm_restrictsrk -a -z > - check: sudo tpm_restrictsrk -s -z (should be readable w SRK auth) > > - sudo rm -rf /usr/local/var/lib/opencryptoki/* > - sudo /usr/local/etc/rc.d/init.d/pkcsslotd start > - check: ps uaxw | grep pkcsslotd > - check sudo pkcsconf -t > > - sudo tpmtoken_init -l debug > > I'm using the following versions, all installed from source: > - tpm-tools-1.3.5 > - trousers-0.3.6 > - opencryptoki-2.3.2 > > This is on a CentOS 5.5 box, and the kernel reports itself as 2.6.18-194.17.4.el5. The tpm_* commands seem to work, and tpm_version reports: > > TPM 1.2 Version Info: > Chip Version: 1.2.7.0 > Spec Level: 2 > Errata Revision: 2 > TPM Vendor ID: STM > TPM Version: 01010000 > Manufacturer Info: 53544d20 > > I don't know precisely what kind of chip that is, but this is a standard, recent Dell box (PE610, I believe). > > So. What am I doing wrong? > > Thanks! > -sq > -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Sam Q. <qu...@em...> - 2010-11-08 01:02:03
|
Hi,
I'm trying to use openCryptoki as a PKCS#11 interface to TrouSerS and an onboard TPM chip. However, I can't seem to get things working properly. I'm hoping someone here can point out what I'm doing wrong…
Briefly, the problem seems to be that I can't change the SO PIN on the TPM Token. When I try to run tpmtoken_init, it reports an error:
$ sudo tpmtoken_init -l debug
C_GetFunctionList success
C_Initialize success
C_GetSlotList success
Slots present: 2
C_GetSlotList success
Retrieving slot information for SlotID 0
C_GetSlotInfo success
Slot description: Linux 2.6.18-194.17.4.el5 Linux (TPM)
Slot manufacturer: Linux 2.6.18-194.17.4.el5
Token is present
Retrieving token information for SlotID 0
C_GetTokenInfo success
Token Label: IBM PKCS#11 TPM Token
Token manufacturer: IBM Corp.
Token model: TPM v1.1 Token
Token is initialized
Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost.
Clear the TPM token data? [y/N]: y
Enter the TPM security officer password:
C_InitToken success
C_OpenSession success
C_Login success
A new TPM security officer password is needed. The password must be between 6 and 127 characters in length.
Enter new password:
Confirm password:
C_SetPIN failed: 0x00000006 (6)
C_CloseSession success
C_Finalize success
tpmtoken_init failed
After running tpmtoken_init, the token does seem to be initialized, but pkcsconf -t reports that the SO and user PINs still need to be changed:
Token #0 Info:
Label: IBM PKCS#11 TPM Token
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 6-127
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 12:36:12 AM
Token #1 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 4-8
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 12:36:12 AM
When I run pkcsconf -P, I get a similar error:
Enter the SO PIN: ********
Enter the new SO PIN: ********
Re-enter the new SO PIN: ********
Error setting PIN: 0x6
I've tried a number of different things, and looked for answers in a number of places, but I haven't found anything that works yet. These are the steps I'm taking to initialize the TPM, TrouSerS, and openCryptoki:
- sudo /sbin/modprobe tpm-tis
- sudo tcsd -f
- check: tpm_version should work
- sudo tpm_takeownership -y -z
- sudo tpm_createek (necessary? returns an error: "The TPM target command has been disabled")
- check: sudo tpm_getpubek -z should return a key
- sudo tpm_changeownerauth -o -r -z -l debug (necessary?)
- sudo tpm_changeownerauth -s -r -z -l debug (?)
- sudo tpm_restrictsrk -a -z
- check: sudo tpm_restrictsrk -s -z (should be readable w SRK auth)
- sudo rm -rf /usr/local/var/lib/opencryptoki/*
- sudo /usr/local/etc/rc.d/init.d/pkcsslotd start
- check: ps uaxw | grep pkcsslotd
- check sudo pkcsconf -t
- sudo tpmtoken_init -l debug
I'm using the following versions, all installed from source:
- tpm-tools-1.3.5
- trousers-0.3.6
- opencryptoki-2.3.2
This is on a CentOS 5.5 box, and the kernel reports itself as 2.6.18-194.17.4.el5. The tpm_* commands seem to work, and tpm_version reports:
TPM 1.2 Version Info:
Chip Version: 1.2.7.0
Spec Level: 2
Errata Revision: 2
TPM Vendor ID: STM
TPM Version: 01010000
Manufacturer Info: 53544d20
I don't know precisely what kind of chip that is, but this is a standard, recent Dell box (PE610, I believe).
So. What am I doing wrong?
Thanks!
-sq
|
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-29 22:02:52
|
Thanks for the info Klaus. One question: did you install the packages from the FC repository or did you build them from source? Alex -----Original Message----- From: Klaus Heinrich Kiwi [mailto:kl...@li...] Sent: Thursday, July 29, 2010 1:58 PM To: Kent Yoder Cc: Alexander Loukissas (aloukiss); ope...@li... Subject: Re: [opencryptoki-users] error initializing token On Tue, 27 Jul 2010 12:19:45 -0500 Kent Yoder <shp...@gm...> wrote: > Hi Alex, > > One thing I noticed today is that reinstalling from source while > pkcsslotd is running will give you CKR_HOST_MEMORY (0x2) errors until > you restart pkcsslotd. > > Kent > > 2010/7/21 Alexander Loukissas (aloukiss) <alo...@ci...>: > > Hi guys, > > > > Perhaps any further insight to this issue? > > > > Thanks > > Alex > > Alexander, I've just tested against Fedora 13 in my laptop (Lenovo T61), and appears to be working as expected. The process was really: * Enable TPM in BIOS. Power-cycle (this is important). TPM is cleared upon next boot * Install trousers. Start tscd service. tpm_atmel.ko is automatically loaded * Install opencryptoki and opencryptoki-libs. Run pkcs11_startup. Start pkcsslotd service * pkcsconf -t should show the software token and the TPM token, both with flags indicating it as still un-initialized. * use tpk_takeownership. Press enter to both passwords to set them to null. * usr tpktoken_init * pkcsconf -t should now report the TPM token as initialized. You can now start using it. Like I said, appears to be working fione here. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-29 21:53:46
|
Great thanks, this is what I have also. It seemed to have worked! Alex -----Original Message----- From: Klaus Heinrich Kiwi [mailto:kl...@li...] Sent: Thursday, July 29, 2010 2:48 PM To: Alexander Loukissas (aloukiss); Kent Yoder Cc: ope...@li... Subject: Re: [opencryptoki-users] error initializing token On Thu, 29 Jul 2010 16:27:49 -0500 "Alexander Loukissas (aloukiss)" <alo...@ci...> wrote: > Thanks for the info Klaus. One question: did you install the packages > from the FC repository or did you build them from source? > > Alex All stock F13 packages, x86_64 arch. Specific versions below: klausk@klausk:~$ rpm -qa | grep trousers trousers-0.3.4-2.fc13.x86_64 trousers-devel-0.3.4-2.fc13.x86_64 klausk@klausk:~$ rpm -qa | grep tpm-tools tpm-tools-pkcs11-1.3.5-2.fc13.x86_64 tpm-tools-devel-1.3.5-2.fc13.x86_64 tpm-tools-1.3.5-2.fc13.x86_64 klausk@klausk:~$ rpm -qa | grep opencryptoki opencryptoki-devel-2.3.1-6.fc13.x86_64 opencryptoki-2.3.1-6.fc13.x86_64 opencryptoki-libs-2.3.1-6.fc13.x86_64 -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Klaus H. K. <kl...@li...> - 2010-07-29 21:47:55
|
On Thu, 29 Jul 2010 16:27:49 -0500 "Alexander Loukissas (aloukiss)" <alo...@ci...> wrote: > Thanks for the info Klaus. One question: did you install the packages > from the FC repository or did you build them from source? > > Alex All stock F13 packages, x86_64 arch. Specific versions below: klausk@klausk:~$ rpm -qa | grep trousers trousers-0.3.4-2.fc13.x86_64 trousers-devel-0.3.4-2.fc13.x86_64 klausk@klausk:~$ rpm -qa | grep tpm-tools tpm-tools-pkcs11-1.3.5-2.fc13.x86_64 tpm-tools-devel-1.3.5-2.fc13.x86_64 tpm-tools-1.3.5-2.fc13.x86_64 klausk@klausk:~$ rpm -qa | grep opencryptoki opencryptoki-devel-2.3.1-6.fc13.x86_64 opencryptoki-2.3.1-6.fc13.x86_64 opencryptoki-libs-2.3.1-6.fc13.x86_64 -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Klaus H. K. <kl...@li...> - 2010-07-29 20:57:56
|
On Tue, 27 Jul 2010 12:19:45 -0500 Kent Yoder <shp...@gm...> wrote: > Hi Alex, > > One thing I noticed today is that reinstalling from source while > pkcsslotd is running will give you CKR_HOST_MEMORY (0x2) errors until > you restart pkcsslotd. > > Kent > > 2010/7/21 Alexander Loukissas (aloukiss) <alo...@ci...>: > > Hi guys, > > > > Perhaps any further insight to this issue? > > > > Thanks > > Alex > > Alexander, I've just tested against Fedora 13 in my laptop (Lenovo T61), and appears to be working as expected. The process was really: * Enable TPM in BIOS. Power-cycle (this is important). TPM is cleared upon next boot * Install trousers. Start tscd service. tpm_atmel.ko is automatically loaded * Install opencryptoki and opencryptoki-libs. Run pkcs11_startup. Start pkcsslotd service * pkcsconf -t should show the software token and the TPM token, both with flags indicating it as still un-initialized. * use tpk_takeownership. Press enter to both passwords to set them to null. * usr tpktoken_init * pkcsconf -t should now report the TPM token as initialized. You can now start using it. Like I said, appears to be working fione here. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Klaus H. K. <kl...@li...> - 2010-07-29 13:07:39
|
http://sourceforge.net/news/?group_id=128009&id=289803 The Opencryptoki team is pleased to announce a new opencryptoki release: v2.3.2. Please download the source from our sourceforge project page: https://sourceforge.net/projects/opencryptoki/files/opencryptoki/2.3.2/ A short summary of changes: * opencryptoki-2.3.2 (Jul 29 2010) - Significant clean-ups to the building and packaging systems and many small fixes by Klaus Heinrich Kiwi <kl...@li...> - Various minor fixes to slot daemon and init script by Dan Horák <da...@da...> - Some RSA PKCS#1 v1.5 padding clean-ups by Ramon de Carvalho Valle <rc...@li...> - Human-readable flags output to pkcsconf, some minor soft-token fixes by Kent Yoder <ke...@li...> - Improved overall session/object look-up performance. Note that this change might crash buggy callers with badly-written session/object handle tracking - Klaus Heinrich Kiwi <kl...@li...> A complete log can be found in the git log (unfortunately, due to the transition between CVS and git, we didn't have any tag information to compare to. This version was tagged as 'v2.3.2', future versions should be tagged as well). -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Kent Y. <shp...@gm...> - 2010-07-27 17:19:53
|
Hi Alex, One thing I noticed today is that reinstalling from source while pkcsslotd is running will give you CKR_HOST_MEMORY (0x2) errors until you restart pkcsslotd. Kent 2010/7/21 Alexander Loukissas (aloukiss) <alo...@ci...>: > Hi guys, > > Perhaps any further insight to this issue? > > Thanks > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 9:46 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > The TPM token code shows: > > Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_PLAIN, 0, NULL) > > So this would be NULL... I assume this was done for convenience -- I > don't think the well-known secret options existed in tpm-tools at that > time... > > On Tue, Jul 20, 2010 at 11:43 AM, Alexander Loukissas (aloukiss) > <alo...@ci...> wrote: >> I'm also confused. Should the secret be set to well-known or null? >> >> Alex >> >> -----Original Message----- >> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >> Sent: Tuesday, July 20, 2010 9:34 AM >> To: Kent Yoder >> Cc: Alexander Loukissas (aloukiss); ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: >>> This is likely the TPM's SRK failing to load. The TPM Token will try >>> to load the SRK using a NULL password. IIRC this can be set by just >>> hitting enter when prompted for the password in tpm_changeownerauth >>> -s. >> >> I'm confused now. What is the tpm token really expecting? >> - null owner secret? >> - 'well known' owner secret? i.e., tpm_takeownership -y >> - 'well known' srk secret? i.e., tpm_takeownership -z >> >> I'm assuming that 'null password' is different than '20 bytes of >> zero' (the 'well-known-secret'). >> >> Thanks, >> >> -Klaus >> -- >> Klaus Heinrich Kiwi | kl...@br... >> IBM LTC Security Development | http://blog.klauskiwi.com >> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >> >> >> >> > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-21 23:58:45
|
Hi guys, Perhaps any further insight to this issue? Thanks Alex -----Original Message----- From: Kent Yoder [mailto:shp...@gm...] Sent: Tuesday, July 20, 2010 9:46 AM To: Alexander Loukissas (aloukiss) Cc: Klaus Heinrich Kiwi; ope...@li... Subject: Re: [opencryptoki-users] error initializing token The TPM token code shows: Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_PLAIN, 0, NULL) So this would be NULL... I assume this was done for convenience -- I don't think the well-known secret options existed in tpm-tools at that time... On Tue, Jul 20, 2010 at 11:43 AM, Alexander Loukissas (aloukiss) <alo...@ci...> wrote: > I'm also confused. Should the secret be set to well-known or null? > > Alex > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Tuesday, July 20, 2010 9:34 AM > To: Kent Yoder > Cc: Alexander Loukissas (aloukiss); ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: >> This is likely the TPM's SRK failing to load. The TPM Token will try >> to load the SRK using a NULL password. IIRC this can be set by just >> hitting enter when prompted for the password in tpm_changeownerauth >> -s. > > I'm confused now. What is the tpm token really expecting? > - null owner secret? > - 'well known' owner secret? i.e., tpm_takeownership -y > - 'well known' srk secret? i.e., tpm_takeownership -z > > I'm assuming that 'null password' is different than '20 bytes of > zero' (the 'well-known-secret'). > > Thanks, > > -Klaus > -- > Klaus Heinrich Kiwi | kl...@br... > IBM LTC Security Development | http://blog.klauskiwi.com > http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog > > > > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 16:51:02
|
Changing both passwords to null doesn't change anything. Also, when running tpmtoken_init for a second time for the specific user, the error again is as earlier: C_Initialize failed: 0x00000002 (2) Thanks Alex -----Original Message----- From: Kent Yoder [mailto:shp...@gm...] Sent: Tuesday, July 20, 2010 9:46 AM To: Alexander Loukissas (aloukiss) Cc: Klaus Heinrich Kiwi; ope...@li... Subject: Re: [opencryptoki-users] error initializing token The TPM token code shows: Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_PLAIN, 0, NULL) So this would be NULL... I assume this was done for convenience -- I don't think the well-known secret options existed in tpm-tools at that time... On Tue, Jul 20, 2010 at 11:43 AM, Alexander Loukissas (aloukiss) <alo...@ci...> wrote: > I'm also confused. Should the secret be set to well-known or null? > > Alex > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Tuesday, July 20, 2010 9:34 AM > To: Kent Yoder > Cc: Alexander Loukissas (aloukiss); ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: >> This is likely the TPM's SRK failing to load. The TPM Token will try >> to load the SRK using a NULL password. IIRC this can be set by just >> hitting enter when prompted for the password in tpm_changeownerauth >> -s. > > I'm confused now. What is the tpm token really expecting? > - null owner secret? > - 'well known' owner secret? i.e., tpm_takeownership -y > - 'well known' srk secret? i.e., tpm_takeownership -z > > I'm assuming that 'null password' is different than '20 bytes of > zero' (the 'well-known-secret'). > > Thanks, > > -Klaus > -- > Klaus Heinrich Kiwi | kl...@br... > IBM LTC Security Development | http://blog.klauskiwi.com > http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog > > > > |
|
From: Kent Y. <shp...@gm...> - 2010-07-20 16:46:25
|
The TPM token code shows: Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_PLAIN, 0, NULL) So this would be NULL... I assume this was done for convenience -- I don't think the well-known secret options existed in tpm-tools at that time... On Tue, Jul 20, 2010 at 11:43 AM, Alexander Loukissas (aloukiss) <alo...@ci...> wrote: > I'm also confused. Should the secret be set to well-known or null? > > Alex > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Tuesday, July 20, 2010 9:34 AM > To: Kent Yoder > Cc: Alexander Loukissas (aloukiss); ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: >> This is likely the TPM's SRK failing to load. The TPM Token will try >> to load the SRK using a NULL password. IIRC this can be set by just >> hitting enter when prompted for the password in tpm_changeownerauth >> -s. > > I'm confused now. What is the tpm token really expecting? > - null owner secret? > - 'well known' owner secret? i.e., tpm_takeownership -y > - 'well known' srk secret? i.e., tpm_takeownership -z > > I'm assuming that 'null password' is different than '20 bytes of > zero' (the 'well-known-secret'). > > Thanks, > > -Klaus > -- > Klaus Heinrich Kiwi | kl...@br... > IBM LTC Security Development | http://blog.klauskiwi.com > http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog > > > > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 16:43:19
|
I'm also confused. Should the secret be set to well-known or null? Alex -----Original Message----- From: Klaus Heinrich Kiwi [mailto:kl...@li...] Sent: Tuesday, July 20, 2010 9:34 AM To: Kent Yoder Cc: Alexander Loukissas (aloukiss); ope...@li... Subject: Re: [opencryptoki-users] error initializing token On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: > This is likely the TPM's SRK failing to load. The TPM Token will try > to load the SRK using a NULL password. IIRC this can be set by just > hitting enter when prompted for the password in tpm_changeownerauth > -s. I'm confused now. What is the tpm token really expecting? - null owner secret? - 'well known' owner secret? i.e., tpm_takeownership -y - 'well known' srk secret? i.e., tpm_takeownership -z I'm assuming that 'null password' is different than '20 bytes of zero' (the 'well-known-secret'). Thanks, -Klaus -- Klaus Heinrich Kiwi | kl...@br... IBM LTC Security Development | http://blog.klauskiwi.com http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 16:42:30
|
Hi Klaus,
1. The TPM token appears under /var/lib/opencryptoki/tpm/ where there's a sub-directory for both users I've run the "tpmtoken_init" command"
2. I've restart pkcsslotd multiple times.
3. All shared libraries appear to be fine.
4. I'm running the opencryptoki from FC13 repos.
Thanks,
Alex
-----Original Message-----
From: Klaus Heinrich Kiwi [mailto:kl...@li...]
Sent: Tuesday, July 20, 2010 9:28 AM
To: Kent Yoder
Cc: Alexander Loukissas (aloukiss); ope...@li...
Subject: Re: [opencryptoki-users] error initializing token
On Tue, 2010-07-20 at 11:11 -0500, Kent Yoder wrote:
> Hmm, there are really only 2 reasons why that should fail... Does
> `id` show your user in the pkcs11 group? Sometimes that requires a
> logout/login to take effect?
Other things to try:
-re-run pkcs11_startup, check
%{localstatedir}/lib/opencryptoki/pk_config_data, make sure the TPM
token is in there.
-kill pkcsslotd, remove possible shared memory leftovers with ipcrm,
restart pkcsslotd
-check if libopencryptoki.so, libpkcs11_tpm.so.0 and all of the
trousers shared libraries are present in the loader cache (ldconfig -p)
Also, are you able to run pkcsconf? What is your 'pkcsconf -t' output?
Are you running a released version or from git? If everything else
fails, give me 10 minutes and try pulling from the 'opencryptoki-next'
branch. I'm committing a couple of fixes right now.
Thanks,
-Klaus
> 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>:
> > Yup, there's a message saying:
> >
> > openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory
> >
> > This appears each time I run the tpmtoken_init command.
> >
> > Alex
> >
--
Klaus Heinrich Kiwi | kl...@br...
IBM LTC Security Development | http://blog.klauskiwi.com
http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog
|
|
From: Klaus H. K. <kl...@li...> - 2010-07-20 16:34:21
|
On Tue, 2010-07-20 at 11:23 -0500, Kent Yoder wrote: > This is likely the TPM's SRK failing to load. The TPM Token will try > to load the SRK using a NULL password. IIRC this can be set by just > hitting enter when prompted for the password in tpm_changeownerauth > -s. I'm confused now. What is the tpm token really expecting? - null owner secret? - 'well known' owner secret? i.e., tpm_takeownership -y - 'well known' srk secret? i.e., tpm_takeownership -z I'm assuming that 'null password' is different than '20 bytes of zero' (the 'well-known-secret'). Thanks, -Klaus -- Klaus Heinrich Kiwi | kl...@br... IBM LTC Security Development | http://blog.klauskiwi.com http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog |
|
From: Klaus H. K. <kl...@li...> - 2010-07-20 16:28:11
|
On Tue, 2010-07-20 at 11:11 -0500, Kent Yoder wrote:
> Hmm, there are really only 2 reasons why that should fail... Does
> `id` show your user in the pkcs11 group? Sometimes that requires a
> logout/login to take effect?
Other things to try:
-re-run pkcs11_startup, check
%{localstatedir}/lib/opencryptoki/pk_config_data, make sure the TPM
token is in there.
-kill pkcsslotd, remove possible shared memory leftovers with ipcrm,
restart pkcsslotd
-check if libopencryptoki.so, libpkcs11_tpm.so.0 and all of the
trousers shared libraries are present in the loader cache (ldconfig -p)
Also, are you able to run pkcsconf? What is your 'pkcsconf -t' output?
Are you running a released version or from git? If everything else
fails, give me 10 minutes and try pulling from the 'opencryptoki-next'
branch. I'm committing a couple of fixes right now.
Thanks,
-Klaus
> 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>:
> > Yup, there's a message saying:
> >
> > openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory
> >
> > This appears each time I run the tpmtoken_init command.
> >
> > Alex
> >
--
Klaus Heinrich Kiwi | kl...@br...
IBM LTC Security Development | http://blog.klauskiwi.com
http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog
|
|
From: Kent Y. <shp...@gm...> - 2010-07-20 16:23:28
|
This is likely the TPM's SRK failing to load. The TPM Token will try to load the SRK using a NULL password. IIRC this can be set by just hitting enter when prompted for the password in tpm_changeownerauth -s. 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: > Actually a re-login was needed. However, now I get a different error: > > C_SetPIN failed: 0x00000006 (6) > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 9:12 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > Hmm, there are really only 2 reasons why that should fail... Does > `id` show your user in the pkcs11 group? Sometimes that requires a > logout/login to take effect? > > 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: >> Yup, there's a message saying: >> >> openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory >> >> This appears each time I run the tpmtoken_init command. >> >> Alex >> >> -----Original Message----- >> From: Kent Yoder [mailto:shp...@gm...] >> Sent: Tuesday, July 20, 2010 9:04 AM >> To: Alexander Loukissas (aloukiss) >> Cc: Klaus Heinrich Kiwi; ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> Are there any messages in /var/log/messages? >> >> If you've installed packages from a distro, can you install the >> debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see >> if anything is logged. >> >> If you've installed from source, you'd need to configure >> --enable-debug, then make, make install and export the env var above. >> >> 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: >>> Both of these are true already, but still the error appears. >>> >>> Alex >>> >>> -----Original Message----- >>> From: Kent Yoder [mailto:shp...@gm...] >>> Sent: Tuesday, July 20, 2010 8:24 AM >>> To: Alexander Loukissas (aloukiss) >>> Cc: Klaus Heinrich Kiwi; ope...@li... >>> Subject: Re: [opencryptoki-users] error initializing token >>> >>> Hi Alex, >>> >>> Make sure pkcsslotd is running and that the user executing this >>> command is a member of the pkcs11 group. >>> >>> Kent >>> >>> On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) >>> <alo...@ci...> wrote: >>>> Thanks Klaus, >>>> >>>> I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). >>>> >>>> Any ideas on that? >>>> >>>> Thanks >>>> Alex >>>> >>>> -----Original Message----- >>>> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >>>> Sent: Monday, July 19, 2010 6:47 PM >>>> To: Alexander Loukissas (aloukiss) >>>> Cc: ope...@li... >>>> Subject: Re: [opencryptoki-users] error initializing token >>>> >>>> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>>>> Hello, >>>>> >>>>> I've been playing around with opencryptoki and I've been seeing some >>>>> issues initializing the TPM token (token #0) on my machine. When running >>>>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>>>> initializing token: 0xA4". Looking up the header files in the >>>>> opencryptoki package, I found that this error corresponds to a >>>>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>>>> >>>>> In more detail, I do exactly what is described here: >>>>> http://www.mail-archive.com/lin...@vm.../msg53084.html >>>>> >>>>> When trying the exact same steps for the soft token (token #1), all >>>>> succeeds and I end up with the (correct) flags 0x44D on that token. >>>>> >>>>> Would anyone have an idea where this problem could be coming from? I've >>>>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>>>> etc, but it didn't help. >>>>> >>>>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>>>> TPM and Fedora Core 13. >>>> >>>> Hi Alexander. Thank you for your contact. >>>> >>>> Please try these instructions and let us know: >>>> http://trousers.sourceforge.net/pkcs11.html >>>> >>>> Basically, you'll need to set the SRK passphrase in your TPM to the >>>> "well-known password" (or something like it), that is, all zeros (there >>>> are switches for that in the tpm tools - see their man pages). >>>> >>>> After that, use "tpmtoken_init" to initialize token. >>>> >>>> We know it's counter-intuitive to not use the pkcsconf utility like we >>>> are able to in other tokens, but currently, due to the way the tpm token >>>> is built, we have no way of doing that relying solely on the PKCS#11 >>>> API. >>>> >>>> -Klaus >>>> >>>>> Thanks, >>>>> >>>>> Alexander Loukissas >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Sprint >>>>> What will you do first with EVO, the first 4G phone? >>>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>>> _______________________________________________ >>>>> opencryptoki-users mailing list >>>>> ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>>> >>>> >>>> -- >>>> Klaus Heinrich Kiwi | kl...@br... >>>> IBM LTC Security Development | http://blog.klauskiwi.com >>>> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Sprint >>>> What will you do first with EVO, the first 4G phone? >>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>> _______________________________________________ >>>> opencryptoki-users mailing list >>>> ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>>> >>> >> > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 16:18:25
|
Actually a re-login was needed. However, now I get a different error: C_SetPIN failed: 0x00000006 (6) Alex -----Original Message----- From: Kent Yoder [mailto:shp...@gm...] Sent: Tuesday, July 20, 2010 9:12 AM To: Alexander Loukissas (aloukiss) Cc: Klaus Heinrich Kiwi; ope...@li... Subject: Re: [opencryptoki-users] error initializing token Hmm, there are really only 2 reasons why that should fail... Does `id` show your user in the pkcs11 group? Sometimes that requires a logout/login to take effect? 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: > Yup, there's a message saying: > > openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory > > This appears each time I run the tpmtoken_init command. > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 9:04 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > Are there any messages in /var/log/messages? > > If you've installed packages from a distro, can you install the > debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see > if anything is logged. > > If you've installed from source, you'd need to configure > --enable-debug, then make, make install and export the env var above. > > 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: >> Both of these are true already, but still the error appears. >> >> Alex >> >> -----Original Message----- >> From: Kent Yoder [mailto:shp...@gm...] >> Sent: Tuesday, July 20, 2010 8:24 AM >> To: Alexander Loukissas (aloukiss) >> Cc: Klaus Heinrich Kiwi; ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> Hi Alex, >> >> Make sure pkcsslotd is running and that the user executing this >> command is a member of the pkcs11 group. >> >> Kent >> >> On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) >> <alo...@ci...> wrote: >>> Thanks Klaus, >>> >>> I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). >>> >>> Any ideas on that? >>> >>> Thanks >>> Alex >>> >>> -----Original Message----- >>> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >>> Sent: Monday, July 19, 2010 6:47 PM >>> To: Alexander Loukissas (aloukiss) >>> Cc: ope...@li... >>> Subject: Re: [opencryptoki-users] error initializing token >>> >>> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>>> Hello, >>>> >>>> I've been playing around with opencryptoki and I've been seeing some >>>> issues initializing the TPM token (token #0) on my machine. When running >>>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>>> initializing token: 0xA4". Looking up the header files in the >>>> opencryptoki package, I found that this error corresponds to a >>>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>>> >>>> In more detail, I do exactly what is described here: >>>> http://www.mail-archive.com/lin...@vm.../msg53084.html >>>> >>>> When trying the exact same steps for the soft token (token #1), all >>>> succeeds and I end up with the (correct) flags 0x44D on that token. >>>> >>>> Would anyone have an idea where this problem could be coming from? I've >>>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>>> etc, but it didn't help. >>>> >>>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>>> TPM and Fedora Core 13. >>> >>> Hi Alexander. Thank you for your contact. >>> >>> Please try these instructions and let us know: >>> http://trousers.sourceforge.net/pkcs11.html >>> >>> Basically, you'll need to set the SRK passphrase in your TPM to the >>> "well-known password" (or something like it), that is, all zeros (there >>> are switches for that in the tpm tools - see their man pages). >>> >>> After that, use "tpmtoken_init" to initialize token. >>> >>> We know it's counter-intuitive to not use the pkcsconf utility like we >>> are able to in other tokens, but currently, due to the way the tpm token >>> is built, we have no way of doing that relying solely on the PKCS#11 >>> API. >>> >>> -Klaus >>> >>>> Thanks, >>>> >>>> Alexander Loukissas >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Sprint >>>> What will you do first with EVO, the first 4G phone? >>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>> _______________________________________________ >>>> opencryptoki-users mailing list >>>> ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>> >>> >>> -- >>> Klaus Heinrich Kiwi | kl...@br... >>> IBM LTC Security Development | http://blog.klauskiwi.com >>> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> _______________________________________________ >>> opencryptoki-users mailing list >>> ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>> >> > |
144 messages has been excluded from this view by a project administrator.
