opencryptoki-users Mailing List for openCryptoki (Page 8)
Brought to you by:
ebarretto
Menu
▾
▴
opencryptoki-users — Discuss usage of the PKCS#11 API and App development
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(8) |
Jul
(5) |
Aug
(5) |
Sep
(2) |
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(7) |
Feb
(5) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
(8) |
Dec
(3) |
| 2007 |
Jan
(14) |
Feb
|
Mar
|
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(10) |
Dec
(6) |
| 2008 |
Jan
(2) |
Feb
|
Mar
(5) |
Apr
(6) |
May
(3) |
Jun
(6) |
Jul
(10) |
Aug
(4) |
Sep
(17) |
Oct
(13) |
Nov
(43) |
Dec
(72) |
| 2009 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(23) |
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
|
| 2011 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(15) |
Mar
|
Apr
(1) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(6) |
Oct
|
Nov
(1) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(5) |
Jun
(1) |
Jul
|
Aug
|
Sep
(4) |
Oct
(2) |
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
|
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2019 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David S. <dav...@gm...> - 2007-11-25 04:57:19
|
Hello, I'm attempting to sign some data with an RSA key imported into the TPM chip of my Thinkpad X61, performed with OpenSC's pkcs11-tool with the following command line: pkcs11-tool --module /usr/lib/pkcs11/libopencryptoki.so --login --write-object ~/key.der --attr-from ~/cert.der --id 1 --label test This and the associated certificate import succeeds, and I see the expected output: Private Key Object; RSA label: test ID: 01 Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: test ID: 01 But when I attempt to sign some data, it fails at token_rsa_load_key because the key object does not have a CKA_IBM_OPAQUE attribute with the keyblob. The current code only seems to set the attribute on the private and public root and leaf keys, not on any keys imported into the device afterwards. That is, none of the functions in loadsave.c update an incoming private key object with the attribute, in order to make it usable for token_specific_rsa operations which causes token_specific_rsa* operations to fail because token_rsa_load_key can't find the key. I notice that token_specific_rsa_generate_keypair does appear to set the attribute correctly when it stores the new keys on the TPM, and so I wonder if I have to use this method to store keys on the chip? In other words, is it illegal to import a certificate and key from the disk (which seems very logistically painful, but very secure). I thought that the answer to that question was no, it is ok to load keys and certs from disk, and that is what the token_wrap_key_object function is for, so I modified token_rsa_load_key to try wrap the incoming key object and try to get the keyblob again. This seems to work (although signing fails for a different reason, which could be related, but I'm persuing that on the trousers mailing list). In general, it seems that token_wrap_key_object should be called from save_private_token_object and save_public_token_object, in order to store the key on the TPM chip properly. Why is this not done? Thanks for any feedback, David |
|
From: Sanjay S. <san...@gm...> - 2007-11-19 12:43:09
|
Hi Kent, Not a problem, I am good with email support also :) I have installed the latest CVS package of opencryptoki and the upstream tpm-tools, and trousers but I am still hitting the same problem, even after setting the SRK to NULL. I am currently trying all different possibilities. I will get back to you if I need your help. Thank you, Sanjay On Nov 16, 2007 2:53 AM, Kent Yoder <shp...@gm...> wrote: > Hi Sanjay, > > The message about packet element not matching is a harmless error, > but it looks like the password for the SRK is still bad. Did you > reset your SRK password to be a zero-length string with > tpm_changeownerauth? > > Kent > > On Nov 15, 2007 5:45 AM, Sanjay Sha <san...@gm...> wrote: > > Hi Kent, > > > > Thanks very much for patiently replying to my email and explaining the > DEBUG > > information :) > > > > I have basically, tried resetting the SRK to NULL and ran tpmtoken_init > but > > it doesn't help. > > I have done some more debugging and found out that, the code is failing > with > > this specific error message.. > > "TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't > > match." > > I found the above by running tcsd in the foreground mode and enabling > debug > > option. > > > > I have been debugging quite a bit and my debug quota for today is over, > time > > to get some sleep :) > > I am pretty sure, you are familiar with this message. So, please help.. > > > > Also, I am quite new to this technology, so can you suggest some good > > references, to understand how the structure of the TPM > > is and so on. I am not able to get any useful resources to understand > the > > PUBLIC ROOT KEY, and how pkcs11 relates to it > > and stuff like that. So any guidance in this area is greatly helpful > > > > Appreciate your time and help ! > > > > > > FYI.. > > > > root@java:~# tpmtoken_init -k "IBM PKCS#11 TPM Token" > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:358 Sending TSP packet to host localhost. > > LOG_DEBUG TSPI rpc/tcstp/rpc.c:373 Connecting to 127.0.0.1 > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received > TCS > > Context: 0xa028b002 > > > > Warning: The TPM token has already been initialized. Reinitializing the > TPM > > token will cause all TPM token data to be lost. > > Clear the TPM token data? [y/N]: y > > Enter the TPM security officer password: > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" > > not found in the store! > > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:318 RPC_LoadKeyByUUID_TP: TCS Context: > > 0xa028b002 > > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:339 RPC_LoadKeyByUUID_TP: TCS key > handle: > > 0x40000000 > > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:274 RPC_GetRegisteredKeyBlob_TP: TCS > > Context: 0xa028b002 > > > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" > > not found in the store! > > A new TPM security officer password is needed. The password must be > between > > 6 and 127 characters in length. > > Enter new password: > > Confirm password: > > LOG_DEBUG TSPI rpc/tcstp/rpc_random.c:37 RPC_GetRandom_TP: TCS Context: > > 0xa028b002 > > LOG_DEBUG TSPI rpc/tcstp/rpc_key.c:184 RPC_GetPubKey_TP: TCS Context: > > 0xa028b002 > > > > LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: > > rc=0x1 > > LOG_ERR TPM_STDLL tpm_specific.c:1183 ERROR: token_wrap_sw_key failed. > > rc=0x1 > > LOG_ERR TPM_STDLL tpm_specific.c:1839 ERROR: FAILED creating SO tree. > > ST MSG TPM_STDLL new_host.c:1231 whammy > > C_SetPIN failed: 0x00000006 (6) > > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: > > 0xa028b002 > > > > > > TCSD DEBUG information of the above command: > > TCSD svrside.c:283 accepted socket 7 > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 1 > > TCSD TCS rpc/tcstp/rpc_context.c:37 tcs_wrap_OpenContext: thread > -1212236912 > > TCSD tcsd_threads.c:385 Sending 0x26 bytes back > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 12 > > TCSD TCS rpc/tcstp/rpc_ps.c:169 tcs_wrap_LoadKeyByUUID: thread > -1212236912 > > context a028b703 > > TCSD TCS tcsi_ps.c:512 TCSP_LoadKeyByUUID_Internal: Enter: uuid: > 0xb7beb278 > > auth? 0x0 *********** > > TCSD TCS tcs_key_mem_cache.c:629 key_mgr_inc_ref_count: TCSD mem_cached > > handle: 0x40000000 > > TCSD TCS tcs_ps.c:170 Key successfully loaded by UUID w/ TCS handle: > > 0x40000000 > > TCSD tcsd_threads.c:385 Sending 0x97 bytes back > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 9 > > TCSD TCS rpc/tcstp/rpc_ps.c:131 tcs_wrap_GetRegisteredKeyBlob: thread > > -1212236912 context a028b703 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: Version: 1.1.0.6 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyUsage: 0x11 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyFlags: 0x0 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: authDatausage: 0 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: pcrInfosize: 0 > > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: encDataSize: 0 > > TCSD tcsd_threads.c:385 Sending 0x151 bytes back > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 44 > > TCSD TCS rpc/tcstp/rpc_random.c:41 tcs_wrap_GetRandom: thread > -1212236912 > > context a028b703 > > TCSD TCS tcsi_random.c:48 TCSP_GetRandom_Internal: 32 bytes > > To TPM: 00 C1 00 00 00 0E 00 00 00 46 00 00 00 20 > > TCSD TDDL tddl.c:105 Calling write to driver > > From TPM: 00 C4 00 00 00 2E 00 00 00 00 00 00 00 20 F6 7A > > From TPM: D9 9E 13 06 43 93 9D C3 FA 9C B0 1A AE 0A 90 5A > > From TPM: EB 84 B0 2B B0 AE 5C 4E AD A1 0D EE EC 27 > > TCSD tcsd_threads.c:385 Sending 0x42 bytes back > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 15 > > TCSD TCS rpc/tcstp/rpc_key.c:72 tcs_wrap_GetPubkey: thread -1212236912 > > context a028b703 > > TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't > > match. > > TCSD TCS tcsi_key.c:237 Entering Get pub key > > TCSD TCS tcsi_key.c:246 No Auth > > TCSD TCS tcs_key_mem_cache.c:159 ensureKeyIsLoaded: 0x40000000 > > TCSD TCS tcs_key_mem_cache.c:708 mc_get_slot_by_handle: TCSD mem_cached > > handle: 0x40000000 > > TCSD TCS tcs_key_mem_cache.c:167 keySlot is 40000000 > > TCSD TCS tcs_key_mem_cache.c:865 mc_update_time_stamp: TCSD mem_cached > > handle: 0x40000000 > > TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit > > TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x40000000, slot: 0x40000000 > > To TPM: 00 C1 00 00 00 0E 00 00 00 21 40 00 00 00 > > TCSD TDDL tddl.c:105 Calling write to driver > > From TPM: 00 C4 00 00 00 0A 00 00 00 01 > > TCSD tcsd_threads.c:385 Sending 0x1C bytes back > > TCSD tcsd_threads.c:358 Rx'd packet > > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 2 > > TCSD TCS rpc/tcstp/rpc_context.c:69 tcs_wrap_CloseContext: thread > > -1212236912 context a028b703 > > TCSD TCS tcsi_context.c:39 Closing context A028B703 > > TCSD TCS tcs_key_mem_cache.c:653 key_mgr_dec_ref_count: decrementing ref > cnt > > for key 0x40000000 > > TCSD TCS tcsi_context.c:51 Context A028B703 closed > > TCSD tcsd_threads.c:385 Sending 0x1C bytes back > > TCSD TCS rpc/tcstp/rpc.c:64 Socket connection closed. > > TCSD tcsd_threads.c:397 Thread exiting. > > > > Thank you, > > Sanjay Sha > > -- > > > > > > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > > www.sanjaysha.com > > > > -- > Kent Yoder > IBM LTC Security Dev. > -- 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj www.sanjaysha.com |
|
From: Kent Y. <shp...@gm...> - 2007-11-15 15:53:42
|
Hi Sanjay, The message about packet element not matching is a harmless error, but it looks like the password for the SRK is still bad. Did you reset your SRK password to be a zero-length string with tpm_changeownerauth? Kent On Nov 15, 2007 5:45 AM, Sanjay Sha <san...@gm...> wrote: > Hi Kent, > > Thanks very much for patiently replying to my email and explaining the DEBUG > information :) > > I have basically, tried resetting the SRK to NULL and ran tpmtoken_init but > it doesn't help. > I have done some more debugging and found out that, the code is failing with > this specific error message.. > "TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't > match." > I found the above by running tcsd in the foreground mode and enabling debug > option. > > I have been debugging quite a bit and my debug quota for today is over, time > to get some sleep :) > I am pretty sure, you are familiar with this message. So, please help.. > > Also, I am quite new to this technology, so can you suggest some good > references, to understand how the structure of the TPM > is and so on. I am not able to get any useful resources to understand the > PUBLIC ROOT KEY, and how pkcs11 relates to it > and stuff like that. So any guidance in this area is greatly helpful > > Appreciate your time and help ! > > > FYI.. > > root@java:~# tpmtoken_init -k "IBM PKCS#11 TPM Token" > LOG_DEBUG TSPI rpc/tcstp/rpc.c:358 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:373 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS > Context: 0xa028b002 > > Warning: The TPM token has already been initialized. Reinitializing the TPM > token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:318 RPC_LoadKeyByUUID_TP: TCS Context: > 0xa028b002 > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:339 RPC_LoadKeyByUUID_TP: TCS key handle: > 0x40000000 > LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:274 RPC_GetRegisteredKeyBlob_TP: TCS > Context: 0xa028b002 > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > A new TPM security officer password is needed. The password must be between > 6 and 127 characters in length. > Enter new password: > Confirm password: > LOG_DEBUG TSPI rpc/tcstp/rpc_random.c:37 RPC_GetRandom_TP: TCS Context: > 0xa028b002 > LOG_DEBUG TSPI rpc/tcstp/rpc_key.c:184 RPC_GetPubKey_TP: TCS Context: > 0xa028b002 > > LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1183 ERROR: token_wrap_sw_key failed. > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1839 ERROR: FAILED creating SO tree. > ST MSG TPM_STDLL new_host.c:1231 whammy > C_SetPIN failed: 0x00000006 (6) > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: > 0xa028b002 > > > TCSD DEBUG information of the above command: > TCSD svrside.c:283 accepted socket 7 > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 1 > TCSD TCS rpc/tcstp/rpc_context.c:37 tcs_wrap_OpenContext: thread -1212236912 > TCSD tcsd_threads.c:385 Sending 0x26 bytes back > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 12 > TCSD TCS rpc/tcstp/rpc_ps.c:169 tcs_wrap_LoadKeyByUUID: thread -1212236912 > context a028b703 > TCSD TCS tcsi_ps.c:512 TCSP_LoadKeyByUUID_Internal: Enter: uuid: 0xb7beb278 > auth? 0x0 *********** > TCSD TCS tcs_key_mem_cache.c:629 key_mgr_inc_ref_count: TCSD mem_cached > handle: 0x40000000 > TCSD TCS tcs_ps.c:170 Key successfully loaded by UUID w/ TCS handle: > 0x40000000 > TCSD tcsd_threads.c:385 Sending 0x97 bytes back > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 9 > TCSD TCS rpc/tcstp/rpc_ps.c:131 tcs_wrap_GetRegisteredKeyBlob: thread > -1212236912 context a028b703 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: Version: 1.1.0.6 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyUsage: 0x11 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyFlags: 0x0 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: authDatausage: 0 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: pcrInfosize: 0 > TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: encDataSize: 0 > TCSD tcsd_threads.c:385 Sending 0x151 bytes back > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 44 > TCSD TCS rpc/tcstp/rpc_random.c:41 tcs_wrap_GetRandom: thread -1212236912 > context a028b703 > TCSD TCS tcsi_random.c:48 TCSP_GetRandom_Internal: 32 bytes > To TPM: 00 C1 00 00 00 0E 00 00 00 46 00 00 00 20 > TCSD TDDL tddl.c:105 Calling write to driver > From TPM: 00 C4 00 00 00 2E 00 00 00 00 00 00 00 20 F6 7A > From TPM: D9 9E 13 06 43 93 9D C3 FA 9C B0 1A AE 0A 90 5A > From TPM: EB 84 B0 2B B0 AE 5C 4E AD A1 0D EE EC 27 > TCSD tcsd_threads.c:385 Sending 0x42 bytes back > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 15 > TCSD TCS rpc/tcstp/rpc_key.c:72 tcs_wrap_GetPubkey: thread -1212236912 > context a028b703 > TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't > match. > TCSD TCS tcsi_key.c:237 Entering Get pub key > TCSD TCS tcsi_key.c:246 No Auth > TCSD TCS tcs_key_mem_cache.c:159 ensureKeyIsLoaded: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:708 mc_get_slot_by_handle: TCSD mem_cached > handle: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:167 keySlot is 40000000 > TCSD TCS tcs_key_mem_cache.c:865 mc_update_time_stamp: TCSD mem_cached > handle: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit > TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x40000000, slot: 0x40000000 > To TPM: 00 C1 00 00 00 0E 00 00 00 21 40 00 00 00 > TCSD TDDL tddl.c:105 Calling write to driver > From TPM: 00 C4 00 00 00 0A 00 00 00 01 > TCSD tcsd_threads.c:385 Sending 0x1C bytes back > TCSD tcsd_threads.c:358 Rx'd packet > TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 2 > TCSD TCS rpc/tcstp/rpc_context.c:69 tcs_wrap_CloseContext: thread > -1212236912 context a028b703 > TCSD TCS tcsi_context.c:39 Closing context A028B703 > TCSD TCS tcs_key_mem_cache.c:653 key_mgr_dec_ref_count: decrementing ref cnt > for key 0x40000000 > TCSD TCS tcsi_context.c:51 Context A028B703 closed > TCSD tcsd_threads.c:385 Sending 0x1C bytes back > TCSD TCS rpc/tcstp/rpc.c:64 Socket connection closed. > TCSD tcsd_threads.c:397 Thread exiting. > > Thank you, > Sanjay Sha > -- > > > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > www.sanjaysha.com -- Kent Yoder IBM LTC Security Dev. |
|
From: Sanjay S. <san...@gm...> - 2007-11-15 11:45:38
|
Hi Kent, Thanks very much for patiently replying to my email and explaining the DEBUG information :) I have basically, tried resetting the SRK to NULL and ran tpmtoken_init but it doesn't help. I have done some more debugging and found out that, the code is failing with this specific error message.. "*TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't match.*" I found the above by running tcsd in the foreground mode and enabling debug option. I have been debugging quite a bit and my debug quota for today is over, time to get some sleep :) I am pretty sure, you are familiar with this message. So, please help.. Also, I am quite new to this technology, so can you suggest some good references, to understand how the structure of the TPM is and so on. I am not able to get any useful resources to understand the PUBLIC ROOT KEY, and how pkcs11 relates to it and stuff like that. So any guidance in this area is greatly helpful Appreciate your time and help ! FYI.. root@java:~# tpmtoken_init -k "IBM PKCS#11 TPM Token" LOG_DEBUG TSPI rpc/tcstp/rpc.c:358 Sending TSP packet to host localhost. LOG_DEBUG TSPI rpc/tcstp/rpc.c:373 Connecting to 127.0.0.1 LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received TCS Context: 0xa028b002 Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:318 RPC_LoadKeyByUUID_TP: TCS Context: 0xa028b002 LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:339 RPC_LoadKeyByUUID_TP: TCS key handle: 0x40000000 LOG_DEBUG TSPI rpc/tcstp/rpc_ps.c:274 RPC_GetRegisteredKeyBlob_TP: TCS Context: 0xa028b002 LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: LOG_DEBUG TSPI rpc/tcstp/rpc_random.c:37 RPC_GetRandom_TP: TCS Context: 0xa028b002 LOG_DEBUG TSPI rpc/tcstp/rpc_key.c:184 RPC_GetPubKey_TP: TCS Context: 0xa028b002 LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1183 ERROR: token_wrap_sw_key failed. rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1839 ERROR: FAILED creating SO tree. ST MSG TPM_STDLL new_host.c:1231 whammy C_SetPIN failed: 0x00000006 (6) LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS Context: 0xa028b002 *TCSD DEBUG information of the above command:* TCSD svrside.c:283 accepted socket 7 TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 1 TCSD TCS rpc/tcstp/rpc_context.c:37 tcs_wrap_OpenContext: thread -1212236912 TCSD tcsd_threads.c:385 Sending 0x26 bytes back TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 12 TCSD TCS rpc/tcstp/rpc_ps.c:169 tcs_wrap_LoadKeyByUUID: thread -1212236912 context a028b703 TCSD TCS tcsi_ps.c:512 TCSP_LoadKeyByUUID_Internal: Enter: uuid: 0xb7beb278 auth? 0x0 *********** TCSD TCS tcs_key_mem_cache.c:629 key_mgr_inc_ref_count: TCSD mem_cached handle: 0x40000000 TCSD TCS tcs_ps.c:170 Key successfully loaded by UUID w/ TCS handle: 0x40000000 TCSD tcsd_threads.c:385 Sending 0x97 bytes back TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 9 TCSD TCS rpc/tcstp/rpc_ps.c:131 tcs_wrap_GetRegisteredKeyBlob: thread -1212236912 context a028b703 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: Version: 1.1.0.6 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyUsage: 0x11 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: keyFlags: 0x0 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: authDatausage: 0 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: pcrInfosize: 0 TCSD TCS ps/tcsps.c:170 psfile_get_key_by_uuid: encDataSize: 0 TCSD tcsd_threads.c:385 Sending 0x151 bytes back TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 44 TCSD TCS rpc/tcstp/rpc_random.c:41 tcs_wrap_GetRandom: thread -1212236912 context a028b703 TCSD TCS tcsi_random.c:48 TCSP_GetRandom_Internal: 32 bytes To TPM: 00 C1 00 00 00 0E 00 00 00 46 00 00 00 20 TCSD TDDL tddl.c:105 Calling write to driver >From TPM: 00 C4 00 00 00 2E 00 00 00 00 00 00 00 20 F6 7A >From TPM: D9 9E 13 06 43 93 9D C3 FA 9C B0 1A AE 0A 90 5A >From TPM: EB 84 B0 2B B0 AE 5C 4E AD A1 0D EE EC 27 TCSD tcsd_threads.c:385 Sending 0x42 bytes back TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 15 TCSD TCS rpc/tcstp/rpc_key.c:72 tcs_wrap_GetPubkey: thread -1212236912 context a028b703 *TCSD TCS rpc/tcstp/rpc.c:400 Data type of TCS packet element 2 doesn't match.* TCSD TCS tcsi_key.c:237 Entering Get pub key TCSD TCS tcsi_key.c:246 No Auth TCSD TCS tcs_key_mem_cache.c:159 ensureKeyIsLoaded: 0x40000000 TCSD TCS tcs_key_mem_cache.c:708 mc_get_slot_by_handle: TCSD mem_cached handle: 0x40000000 TCSD TCS tcs_key_mem_cache.c:167 keySlot is 40000000 TCSD TCS tcs_key_mem_cache.c:865 mc_update_time_stamp: TCSD mem_cached handle: 0x40000000 TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit TCSD TCS tcsi_key.c:254 GetPubKey: handle: 0x40000000, slot: 0x40000000 To TPM: 00 C1 00 00 00 0E 00 00 00 21 40 00 00 00 TCSD TDDL tddl.c:105 Calling write to driver >From TPM: 00 C4 00 00 00 0A 00 00 00 01 TCSD tcsd_threads.c:385 Sending 0x1C bytes back TCSD tcsd_threads.c:358 Rx'd packet TCSD TCS rpc/tcstp/rpc.c:659 Dispatching ordinal 2 TCSD TCS rpc/tcstp/rpc_context.c:69 tcs_wrap_CloseContext: thread -1212236912 context a028b703 TCSD TCS tcsi_context.c:39 Closing context A028B703 TCSD TCS tcs_key_mem_cache.c:653 key_mgr_dec_ref_count: decrementing ref cnt for key 0x40000000 TCSD TCS tcsi_context.c:51 Context A028B703 closed TCSD tcsd_threads.c:385 Sending 0x1C bytes back TCSD TCS rpc/tcstp/rpc.c:64 Socket connection closed. TCSD tcsd_threads.c:397 Thread exiting. Thank you, Sanjay Sha -- 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj www.sanjaysha.com |
|
From: Kent Y. <shp...@gm...> - 2007-11-14 16:19:35
|
Hi Sanjay, On Nov 13, 2007 10:48 PM, Sanjay Sha <san...@gm...> wrote: > Enabling debugging actually reveals some more information: > > ~:# tpmtoken_init -k tpm > Warning: The TPM token has already been initialized. Reinitializing the TPM > token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! FYI the above errors aren't really errors. :-) The TPM token is search for the root keys that it automatically loads as part of the protection it does for the PCKS#11 data store. These keys don't exist yet because you haven't set up the SO and USER pins. > A new TPM security officer password is needed. The password must be between > 6 and 127 characters in length. > Enter new password: > Confirm password: This looks like a bug in tpmtoken_init. I think it should be prompting you for the user password after SO pin, so apparently setting the SO pin is failing here. > > ~:# pkcsconf -c 0 -p > Enter user PIN: ***** > Enter the new user PIN: *** > Re-enter the new user PIN: *** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:623 ERROR: token_find_key failed. > rc=0x8f000000 > LOG_ERR TPM_STDLL tpm_specific.c:1494 ERROR: token_load_public_root_key > failed. rc=0x6 > Error logging in: 0x102 0x102 is user pin not initialized, you'd need to run pkcsconf -u first. Also, tpmtoken_init was meant to be a complete replacement for the pkcsconf steps. Once tomtoken_init succeeds, your TPM token should be ready to use. > > > ~:# pkcsconf -c 0 -P > Enter the SO PIN: ******** > Enter the new SO PIN: ****** > Re-enter the new SO PIN: ****** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: > rc=0x1 Ok, the GetPubKey call is being used to grab the SRK pub key, which is failing with an authentication error. As the openCryptoki TPM token code is written now, the SRK password must be a hash of 0 bytes. You can set this up by just hitting enter when you're prompted for a new password in tpm_changeownerauth -s. Try setting the SRK password and then just run tpmtoken_init to see if that works. Thanks, Kent > LOG_ERR TPM_STDLL tpm_specific.c:1179 ERROR: token_wrap_sw_key failed. > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1835 ERROR: FAILED creating SO tree. > ST MSG TPM_STDLL new_host.c:1224 whammy > > I am trying to read docs to understand this error message, but since you are > the experts, you can > tell me what is going wrong fairly easily. Please let me know. > > > > Thank you, > Sanjay > -- > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > www.sanjaysha.com > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > -- Kent Yoder IBM LTC Security Dev. |
|
From: Steven B. <sb...@au...> - 2007-11-14 15:10:35
|
I believe that this means you have not initialized the TPM with a Storage Root Key... that has to be done outside of the P11 token Sanjay Sha wrote: > Enabling debugging actually reveals some more information: > > ~:# tpmtoken_init -k tpm > Warning: The TPM token has already been initialized. Reinitializing the > TPM token will cause all TPM token data to be lost. > Clear the TPM token data? [y/N]: y > Enter the TPM security officer password: > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" not found in the store! > A new TPM security officer password is needed. The password must be > between 6 and 127 characters in length. > Enter new password: > Confirm password: > > ~:# pkcsconf -c 0 -p > Enter user PIN: ***** > Enter the new user PIN: *** > Re-enter the new user PIN: *** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:623 ERROR: token_find_key failed. > rc=0x8f000000 > LOG_ERR TPM_STDLL tpm_specific.c:1494 ERROR: token_load_public_root_key > failed. rc=0x6 > Error logging in: 0x102 > > ~:# pkcsconf -c 0 -P > Enter the SO PIN: ******** > Enter the new SO PIN: ****** > Re-enter the new SO PIN: ****** > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" not found in the store! > LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1179 ERROR: token_wrap_sw_key failed. > rc=0x1 > LOG_ERR TPM_STDLL tpm_specific.c:1835 ERROR: FAILED creating SO tree. > ST MSG TPM_STDLL new_host.c:1224 whammy > > I am trying to read docs to understand this error message, but since you > are the experts, you can > tell me what is going wrong fairly easily. Please let me know. > > Thank you, > Sanjay > -- > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > www.sanjaysha.com <http://www.sanjaysha.com> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: Sanjay S. <san...@gm...> - 2007-11-14 04:48:21
|
Enabling debugging actually reveals some more information: ~:# tpmtoken_init -k tpm Warning: The TPM token has already been initialized. Reinitializing the TPM token will cause all TPM token data to be lost. Clear the TPM token data? [y/N]: y Enter the TPM security officer password: LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! A new TPM security officer password is needed. The password must be between 6 and 127 characters in length. Enter new password: Confirm password: ~:# pkcsconf -c 0 -p Enter user PIN: ***** Enter the new user PIN: *** Re-enter the new user PIN: *** LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_ERR TPM_STDLL tpm_specific.c:623 ERROR: token_find_key failed. rc=0x8f000000 LOG_ERR TPM_STDLL tpm_specific.c:1494 ERROR: token_load_public_root_key failed. rc=0x6 Error logging in: 0x102 ~:# pkcsconf -c 0 -P Enter the SO PIN: ******** Enter the new SO PIN: ****** Re-enter the new SO PIN: ****** LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! LOG_ERR TPM_STDLL tpm_specific.c:309 ERROR: Tspi_Key_GetPubKey failed: rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1179 ERROR: token_wrap_sw_key failed. rc=0x1 LOG_ERR TPM_STDLL tpm_specific.c:1835 ERROR: FAILED creating SO tree. ST MSG TPM_STDLL new_host.c:1224 whammy I am trying to read docs to understand this error message, but since you are the experts, you can tell me what is going wrong fairly easily. Please let me know. Thank you, Sanjay -- 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj www.sanjaysha.com |
|
From: Sanjay S. <san...@gm...> - 2007-11-13 14:18:49
|
I just tried setting the SO pin and I get the following message: ~:# pkcsconf -c 0 -P Enter the SO PIN: ******** Enter the new SO PIN: ********** Re-enter the new SO PIN: ********** Error setting PIN: 0x6 -Sanjay On Nov 13, 2007 7:22 PM, Steven Bade <sb...@au...> wrote: > Have you set the SO Pin? > Sanjay Sha wrote: > > Hi, > > > > I am trying to talk to the TPM chip using the pkcs11 interface. > > When I try changing the user PIN, I get the following error. > > > > ~:# pkcsconf -c 0 -p > > Enter user PIN: ***** > > Enter the new user PIN: ******** > > Re-enter the new user PIN: ******** > > Error logging in: 0x102 > > > > Can you please help... > > > > FYI > > pkcs11_startup, populates the following entries in the pk_config_data. > > > > TRUE|0|Linux 2.6.22-gg14-generic Linux (TPM)|Linux > > > 2.6.22-gg14-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize > > TRUE|0|Linux 2.6.22-gg14-generic Linux (Soft)|Linux > > > 2.6.22-gg14-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initializ > > > > Also, I could run pkcsconf -c 0 -I command to intialize the token, and > > pkcsconf -c 0 -u, to initialize the user PIN. > > > > pkcsconf -ts output: > > > > Slot #0 Info > > Description: Linux 2.6.22-gg14-generic Linux (TPM) > > Manufacturer: Linux 2.6.22-gg14-generic > > Flags: 0x5 (TOKEN_PRESENT|HW_SLOT) > > Hardware Version: 0.0 > > Firmware Version: 1.1 > > > > Token #0 Info: > > Label: tpm > > Manufacturer: IBM Corp. > > Model: TPM v1.1 Token > > Serial Number: 123 > > Flags: 0x880445 > > > (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: -1/-1 > > R/W Sessions: -1/-1 > > PIN Length: 6-127 > > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > > Hardware Version: 1.0 > > Firmware Version: 1.0 > > Time: 09:28:20 > > > > > > Thank you, > > Sanjay > > > > -- > > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > > www.sanjaysha.com <http://www.sanjaysha.com> > > > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > -- 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj www.sanjaysha.com |
|
From: Steven B. <sb...@au...> - 2007-11-13 13:53:00
|
Have you set the SO Pin? Sanjay Sha wrote: > Hi, > > I am trying to talk to the TPM chip using the pkcs11 interface. > When I try changing the user PIN, I get the following error. > > ~:# pkcsconf -c 0 -p > Enter user PIN: ***** > Enter the new user PIN: ******** > Re-enter the new user PIN: ******** > Error logging in: 0x102 > > Can you please help... > > FYI > pkcs11_startup, populates the following entries in the pk_config_data. > > TRUE|0|Linux 2.6.22-gg14-generic Linux (TPM)|Linux > 2.6.22-gg14-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize > TRUE|0|Linux 2.6.22-gg14-generic Linux (Soft)|Linux > 2.6.22-gg14-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initializ > > Also, I could run pkcsconf -c 0 -I command to intialize the token, and > pkcsconf -c 0 -u, to initialize the user PIN. > > pkcsconf -ts output: > > Slot #0 Info > Description: Linux 2.6.22-gg14-generic Linux (TPM) > Manufacturer: Linux 2.6.22-gg14-generic > Flags: 0x5 (TOKEN_PRESENT|HW_SLOT) > Hardware Version: 0.0 > Firmware Version: 1.1 > > Token #0 Info: > Label: tpm > Manufacturer: IBM Corp. > Model: TPM v1.1 Token > Serial Number: 123 > Flags: 0x880445 > (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > Sessions: -1/-1 > R/W Sessions: -1/-1 > PIN Length: 6-127 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 09:28:20 > > > Thank you, > Sanjay > > -- > 49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj > www.sanjaysha.com <http://www.sanjaysha.com> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: Sanjay S. <san...@gm...> - 2007-11-13 11:55:44
|
Hi,
I am trying to talk to the TPM chip using the pkcs11 interface.
When I try changing the user PIN, I get the following error.
~:# pkcsconf -c 0 -p
Enter user PIN: *****
Enter the new user PIN: ********
Re-enter the new user PIN: ********
Error logging in: 0x102
Can you please help...
FYI
pkcs11_startup, populates the following entries in the pk_config_data.
TRUE|0|Linux 2.6.22-gg14-generic Linux (TPM)|Linux
2.6.22-gg14-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize
TRUE|0|Linux 2.6.22-gg14-generic Linux (Soft)|Linux
2.6.22-gg14-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initializ
Also, I could run pkcsconf -c 0 -I command to intialize the token, and
pkcsconf -c 0 -u, to initialize the user PIN.
pkcsconf -ts output:
Slot #0 Info
Description: Linux 2.6.22-gg14-generic Linux (TPM)
Manufacturer: Linux 2.6.22-gg14-generic
Flags: 0x5 (TOKEN_PRESENT|HW_SLOT)
Hardware Version: 0.0
Firmware Version: 1.1
Token #0 Info:
Label: tpm
Manufacturer: IBM Corp.
Model: TPM v1.1 Token
Serial Number: 123
Flags: 0x880445
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: -1/-1
R/W Sessions: -1/-1
PIN Length: 6-127
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 09:28:20
Thank you,
Sanjay
--
49:02:1f:d9:d5:10:98:58:12:af:56:e4:f1:34:cf:7e -Sunj
www.sanjaysha.com
|
|
From: Steven B. <sb...@au...> - 2007-10-17 14:17:07
|
YH Cheng wrote: > Hi all, > > We have an application using IBM cryptocard 4758 currently, and now it's > moving from 32-bit to 64-bit. > We wrote a JNI wrapper to call PKCS11_API.so . and so we have to > recompile the JNI native library as 64-bit one. > > What's needed to change in order to use those .so64 libraries in > /usr/lib/pkcs11/stdll ? > Can anyone please give some pointers ..... ? > > Thank you ! You load PKCS11_API.so64 in your JNI, and the others get loaded automatically. NOTE, the 4758 function has NEVER been tested on a 64Bit system under linux > > Cheers, > Karl > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: YH C. <hue...@gm...> - 2007-10-11 03:08:20
|
Hi all, We have an application using IBM cryptocard 4758 currently, and now it's moving from 32-bit to 64-bit. We wrote a JNI wrapper to call PKCS11_API.so . and so we have to recompile the JNI native library as 64-bit one. What's needed to change in order to use those .so64 libraries in /usr/lib/pkcs11/stdll ? Can anyone please give some pointers ..... ? Thank you ! Cheers, Karl |
|
From: Kent Y. <shp...@gm...> - 2007-04-26 19:27:19
|
Ahh, I forgot, you will need to call C_SetPIN() before the hiearchy is created (pkcsconf -c <slot> -P). I had to go back and look at the state diagram, which I've attached... Kent On 4/26/07, Andriy Stetsko <and...@gm...> wrote: > Sorry for mistake, there is a username directory, but there are no *.pem > files. > I do it under root, so > > /usr/local/var/lib/opencryptoki/tpm/root/ contains: > NVTOK.DAT TOK_OBJ/ > TOK_OBJ directory is empty > and /usr/local/var/lib/tpm/ contains > system.data > > > On 26/04/07, Kent Yoder <shp...@gm...> wrote: > > Hmm... not even under /usr/local/var/lib/tpm/$USER? > There should be > > a username directory, with each user getting his own set of root > > keys... > > > > On 4/26/07, Andriy Stetsko <and...@gm...> wrote: > > > Thanks for reply, > > > I build it without --enable-debug option and error message disappeared > :) > > > But I have further question :) Directory > > > /usr/local/var/lib/opencryptoki/tpm/ didnot include any > > > PRIVATE_ROOT_KEY.pem and PUBLIC_ROOT_KEY.pem files after I had set up > SO > > > and User PINs. > > > > > > > > > On 26/04/07, Kent Yoder < shp...@gm...> wrote: > > > > Hi Andriy, > > > > > > > > Hopefully this error is only printed with a debugging build of > > > > openCryptoki. If not, it is a bug... > > > > > > > > But this message is printed because when openCryptoki's TPM token is > > > > initialized, it looks around for the keys it uses to internally manage > > > > the TPM token's data store (one is called 'PUBLIC ROOT KEY' the other > > > > is 'PRIVATE ROOT KEY'). These keys are generated once the SO or USER > > > > establishes a PIN, so before that point (pre-token init time), they > > > > don't exist. This is fine, and part of how the TPM token works > > > > normally. Perhaps the large 'ERROR' text was a bad choice for this > > > > harmless message. :-) > > > > > > > > Kent > > > > > > > > On 4/26/07, Andriy Stetsko < and...@gm... > wrote: > > > > > Hi everybody, > > > > > I try to initialize tpm token using command > > > > > pkcsconf -I -c 0. > > > > > It returns > > > > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > > > KEY" > > > > > not found in the store! > > > > > What is the reason of this problem? How to solve it? > > > > > Thanks in advance. > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > This SF.net email is sponsored by DB2 Express > > > > > Download DB2 Express C - the FREE version of DB2 express and take > > > > > control of your XML. No limits. Just data. Click to get it now. > > > > > http://sourceforge.net/powerbar/db2/ > > > > > _______________________________________________ > > > > > opencryptoki-users mailing list > > > > > ope...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > > > > > > > > > > > > > > > > > > > > -- > > > > Kent Yoder > > > > IBM LTC Security Dev. > > > > > > > > > > > > > > > > -- > > > Best regards, Andriy > > > > > > -- > > Kent Yoder > > IBM LTC Security Dev. > > > > > > -- > Best regards, Andriy -- Kent Yoder IBM LTC Security Dev. |
|
From: Andriy S. <and...@gm...> - 2007-04-26 18:46:52
|
Sorry for mistake, there is a username directory, but there are no *.pem files. I do it under root, so /usr/local/var/lib/opencryptoki/tpm/root/ contains: NVTOK.DAT TOK_OBJ/ TOK_OBJ directory is empty and /usr/local/var/lib/tpm/ contains system.data On 26/04/07, Kent Yoder <shp...@gm...> wrote: > > Hmm... not even under /usr/local/var/lib/tpm/$USER? There should be > a username directory, with each user getting his own set of root > keys... > > On 4/26/07, Andriy Stetsko <and...@gm...> wrote: > > Thanks for reply, > > I build it without --enable-debug option and error message disappeared > :) > > But I have further question :) Directory > > /usr/local/var/lib/opencryptoki/tpm/ didnot include any > > PRIVATE_ROOT_KEY.pem and PUBLIC_ROOT_KEY.pem files after I had set > up SO > > and User PINs. > > > > > > On 26/04/07, Kent Yoder < shp...@gm...> wrote: > > > Hi Andriy, > > > > > > Hopefully this error is only printed with a debugging build of > > > openCryptoki. If not, it is a bug... > > > > > > But this message is printed because when openCryptoki's TPM token is > > > initialized, it looks around for the keys it uses to internally manage > > > the TPM token's data store (one is called 'PUBLIC ROOT KEY' the other > > > is 'PRIVATE ROOT KEY'). These keys are generated once the SO or USER > > > establishes a PIN, so before that point (pre-token init time), they > > > don't exist. This is fine, and part of how the TPM token works > > > normally. Perhaps the large 'ERROR' text was a bad choice for this > > > harmless message. :-) > > > > > > Kent > > > > > > On 4/26/07, Andriy Stetsko < and...@gm... > wrote: > > > > Hi everybody, > > > > I try to initialize tpm token using command > > > > pkcsconf -I -c 0. > > > > It returns > > > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > > KEY" > > > > not found in the store! > > > > What is the reason of this problem? How to solve it? > > > > Thanks in advance. > > > > > > > > > > > ------------------------------------------------------------------------- > > > > This SF.net email is sponsored by DB2 Express > > > > Download DB2 Express C - the FREE version of DB2 express and take > > > > control of your XML. No limits. Just data. Click to get it now. > > > > http://sourceforge.net/powerbar/db2/ > > > > _______________________________________________ > > > > opencryptoki-users mailing list > > > > ope...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > > > > > > > > > > > > > > > -- > > > Kent Yoder > > > IBM LTC Security Dev. > > > > > > > > > > > -- > > Best regards, Andriy > > > -- > Kent Yoder > IBM LTC Security Dev. > -- Best regards, Andriy |
|
From: Kent Y. <shp...@gm...> - 2007-04-26 18:28:06
|
Hmm... not even under /usr/local/var/lib/tpm/$USER? There should be a username directory, with each user getting his own set of root keys... On 4/26/07, Andriy Stetsko <and...@gm...> wrote: > Thanks for reply, > I build it without --enable-debug option and error message disappeared :) > But I have further question :) Directory > /usr/local/var/lib/opencryptoki/tpm/ didnot include any > PRIVATE_ROOT_KEY.pem and PUBLIC_ROOT_KEY.pem files after I had set up SO > and User PINs. > > > On 26/04/07, Kent Yoder < shp...@gm...> wrote: > > Hi Andriy, > > > > Hopefully this error is only printed with a debugging build of > > openCryptoki. If not, it is a bug... > > > > But this message is printed because when openCryptoki's TPM token is > > initialized, it looks around for the keys it uses to internally manage > > the TPM token's data store (one is called 'PUBLIC ROOT KEY' the other > > is 'PRIVATE ROOT KEY'). These keys are generated once the SO or USER > > establishes a PIN, so before that point (pre-token init time), they > > don't exist. This is fine, and part of how the TPM token works > > normally. Perhaps the large 'ERROR' text was a bad choice for this > > harmless message. :-) > > > > Kent > > > > On 4/26/07, Andriy Stetsko < and...@gm... > wrote: > > > Hi everybody, > > > I try to initialize tpm token using command > > > pkcsconf -I -c 0. > > > It returns > > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT > KEY" > > > not found in the store! > > > What is the reason of this problem? How to solve it? > > > Thanks in advance. > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > opencryptoki-users mailing list > > > ope...@li... > > > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > > > > > > > > > > -- > > Kent Yoder > > IBM LTC Security Dev. > > > > > > -- > Best regards, Andriy -- Kent Yoder IBM LTC Security Dev. |
|
From: Andriy S. <and...@gm...> - 2007-04-26 18:23:01
|
Thanks for reply, I build it without --enable-debug option and error message disappeared :) But I have further question :) Directory /usr/local/var/lib/opencryptoki/tpm/ didnot include any PRIVATE_ROOT_KEY.pem and PUBLIC_ROOT_KEY.pem files after I had set up SO and User PINs. On 26/04/07, Kent Yoder < shp...@gm...> wrote: > Hi Andriy, > > Hopefully this error is only printed with a debugging build of > openCryptoki. If not, it is a bug... > > But this message is printed because when openCryptoki's TPM token is > initialized, it looks around for the keys it uses to internally manage > the TPM token's data store (one is called 'PUBLIC ROOT KEY' the other > is 'PRIVATE ROOT KEY'). These keys are generated once the SO or USER > establishes a PIN, so before that point (pre-token init time), they > don't exist. This is fine, and part of how the TPM token works > normally. Perhaps the large 'ERROR' text was a bad choice for this > harmless message. :-) > > Kent > > On 4/26/07, Andriy Stetsko <and...@gm... > wrote: > > Hi everybody, > > I try to initialize tpm token using command > > pkcsconf -I -c 0. > > It returns > > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > > not found in the store! > > What is the reason of this problem? How to solve it? > > Thanks in advance. > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > > > > > -- > Kent Yoder > IBM LTC Security Dev. > -- Best regards, Andriy |
|
From: Kent Y. <shp...@gm...> - 2007-04-26 17:03:35
|
Hi Andriy, Hopefully this error is only printed with a debugging build of openCryptoki. If not, it is a bug... But this message is printed because when openCryptoki's TPM token is initialized, it looks around for the keys it uses to internally manage the TPM token's data store (one is called 'PUBLIC ROOT KEY' the other is 'PRIVATE ROOT KEY'). These keys are generated once the SO or USER establishes a PIN, so before that point (pre-token init time), they don't exist. This is fine, and part of how the TPM token works normally. Perhaps the large 'ERROR' text was a bad choice for this harmless message. :-) Kent On 4/26/07, Andriy Stetsko <and...@gm...> wrote: > Hi everybody, > I try to initialize tpm token using command > pkcsconf -I -c 0. > It returns > LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" > not found in the store! > What is the reason of this problem? How to solve it? > Thanks in advance. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > -- Kent Yoder IBM LTC Security Dev. |
|
From: Andriy S. <and...@gm...> - 2007-04-26 16:56:08
|
Hi everybody, I try to initialize tpm token using command pkcsconf -I -c 0. It returns LOG_ERR TPM_STDLL tpm_specific.c:207 ERROR: key with ID="PUBLIC ROOT KEY" not found in the store! What is the reason of this problem? How to solve it? Thanks in advance. |
|
From: Michael H. <mha...@us...> - 2007-04-17 16:31:24
|
On Tue, Apr 17, 2007 at 09:57:36AM -0500, Tom Lendacky wrote: > "David MacKinnon" <bl...@gm...> wrote on 04/16/2007 07:25:59 PM: >=20 > > On 4/5/07, David MacKinnon <bl...@gm...> wrote: > > > > > Are there any plans to update opencryptoki to the v2.2 spec? > > > > I take it that's a no/not any time soon? :) > > >=20 > Sorry, the post got lost in my long list of emails... >=20 > We are working on moving up to the v2.2 level of the spec. However, > there is no time line in place as to when the work will be complete. There is a CVS branch with an alpha version containing the v2.20 spec features. The name of the branch is ``v2_20''. If you want to try it out, do a CVS checkout of the v2_20 branch. Note that any bugfixes that went into the main branch over the last 4 or 5 months have not been merged into that branch as of yet. cvs -z3 -d:pserver:ano...@op...:/cvsroot/open= cryptoki co -r v2_20 -P opencryptoki Mike |
|
From: David M. <bl...@gm...> - 2007-04-17 15:34:17
|
On 4/18/07, Tom Lendacky <to...@us...> wrote: > > Sorry, the post got lost in my long list of emails... > > We are working on moving up to the v2.2 level of the spec. However, > there is no time line in place as to when the work will be complete. > Ahh, cool. The fact that it's planned is a Good Thing for us :) The ability to store x.509 keys/certs in the Thinkpad TPM module for ipsec auth is something we're quite keen to have. I'm currently seeing how hard it would be to patch strongswan "back" to pkcs#11 2.1 spec, but that's going back quite a way (initial smartcard support commit in fact. The very next commit in their cvs repository is moving up to v2.2, and that's for the old 2.x series, not the current 4.x code). -David > Thanks, > Tom > > > -David > |
|
From: Tom L. <to...@us...> - 2007-04-17 14:57:58
|
"David MacKinnon" <bl...@gm...> wrote on 04/16/2007 07:25:59 PM: > On 4/5/07, David MacKinnon <bl...@gm...> wrote: > > > Are there any plans to update opencryptoki to the v2.2 spec? > > I take it that's a no/not any time soon? :) > Sorry, the post got lost in my long list of emails... We are working on moving up to the v2.2 level of the spec. However, there is no time line in place as to when the work will be complete. Thanks, Tom > -David |
|
From: David M. <bl...@gm...> - 2007-04-17 00:26:00
|
On 4/5/07, David MacKinnon <bl...@gm...> wrote: > Are there any plans to update opencryptoki to the v2.2 spec? I take it that's a no/not any time soon? :) -David |
|
From: David M. <bl...@gm...> - 2007-04-05 03:20:43
|
On 4/4/07, Tom Lendacky <to...@us...> wrote: > Let me start by saying that I'm not very familiar with Strongswan... I'm fairly clueless about PKCS11 (and way out of practice at even reading C code). I had a look over the header files. Strongswan distributes with the rsaref pkcs11 header files for compilation, and they seem to use the v2.2 ones. Trying to swap in the opencryptoki headers shows they actually use some of the 2.2 stuff as well :) Are there any plans to update opencryptoki to the v2.2 spec? -David |
|
From: David M. <bl...@gm...> - 2007-04-05 02:08:14
|
On 4/4/07, Tom Lendacky <to...@us...> wrote: > Is Strongswan running under your userid when attempting to access the > cert/key through the PKCS#11 api? The TPM token store is a per-user > token store. So if Strongswan is running as daemon under a specific > user then you will need to store your cert/key as the Strongswan daemon > user. You will then need to be sure that Strongswan provides the proper > pin to the PKCS#11 api in order to access the cert/key objects. Strongswan is running as root, the token was stored as root. The pin failure seems pretty instantaneous, which I find suspicious. The tpmtoken commands take a few seconds to verify the pin. I've got strongswan using PKCS11_API.so as it's pkcs module. I suspect it's possibly a strongswan issue. People tend to use OpenSC for PKCS11 support, so that's what tends to get tested :-/ I'll try and trace through what's happening, it just gets a bit messy between all the processes, and daemons floating around, was hoping someone had come across this use before. -David > > Tom > > > > > I've pinged the strongswan-users list as well, but was just curious if > > anyone had tried this setup before and had some hints? > > > > Thanks, > > -David > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > > opinions on IT & business topics through brief surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: Tom L. <to...@us...> - 2007-04-04 13:50:25
|
bl...@gm... wrote on 04/03/2007 11:01:07 PM: > Hey. I was just wondering if anyone had successfully managed to use > opencryptoki with Strongswan? I'm trying to store my x.509 cert/key in > the TPM module of my T43p and have Strongswan use it. > > Currently (according to all the tpmtoken tools) the key/cert are > stored successfully, but when I try and get strongswan to use it it > keeps claiming the pin is incorrect. strace on tcsd shows no activity > with this failed pin attempt, so I'm a bit dubious. Let me start by saying that I'm not very familiar with Strongswan... Is Strongswan running under your userid when attempting to access the cert/key through the PKCS#11 api? The TPM token store is a per-user token store. So if Strongswan is running as daemon under a specific user then you will need to store your cert/key as the Strongswan daemon user. You will then need to be sure that Strongswan provides the proper pin to the PKCS#11 api in order to access the cert/key objects. Tom > > I've pinged the strongswan-users list as well, but was just curious if > anyone had tried this setup before and had some hints? > > Thanks, > -David > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
144 messages has been excluded from this view by a project administrator.
