Ubuntu
opencryptoki package

tpm and software token cannot be used together

Bug #942381 reported by Steve Atwell
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
opencryptoki (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I cannot write objects to a TPM-backed opencryptoki token. Although writes appear to succeed and the count of objects seems to have been updated, you can't read attributes from any objects or use them for crypto operations.

This happens on Precise with version 2.3.1+dfsg-3 of opencryptoki.

Steps to reproduce (as root):
1. Enable and clear the TPM in BIOS.
2. Install trousers, opencryptoki, and opensc.
3. Take ownership of the TPM with tpm_takeownership.
4. Initialize the PKCS#11 token and set SO and user PINs:
        - pkcsconf -I -c 0 -S 87654321
        - pkcsconf -P -c 0 -S 87654321 -n 111111
        - pkcsconf -u -c 0 -S 111111 -n 000000
5. Write any X.509 certificate in DER format to the token:
        - pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 --write-object cert.der --type cert --id 1
6. Attempt to list objects in the token:
        - pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 -O

Expected results:
pkcs11-tool should list one certificate object and exit with no warnings.

Actual results:
pkcs11-tool reports lots of warnings and doesn't seem to know anything about the certificate:

--------
# pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

Data object 1
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  label: <empty>
warning: PKCS11 function C_GetAttributeValue(APPLICATION) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  application: <empty>
warning: PKCS11 function C_GetAttributeValue(OBJECT_ID) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  app_id: <empty>
warning: PKCS11 function C_GetAttributeValue(MODIFIABLE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

warning: PKCS11 function C_GetAttributeValue(PRIVATE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  flags:
--------

Additionally, no object file seems to have been written to disk. Opencryptoki should have written a numbered object file to /var/lib/opencryptoki/tpm/root/TOK_OBJ, but this directory is empty.

David Smith (dds)
summary: - Cannot write objects to TPM token
+ tpm and software token cannot be used together
Revision history for this message
David Smith (dds) wrote :
Download full text (3.3 KiB)

Out of the box, opencryptoki configures both the TPM token and software token. But that combination exposes a bug in opencryptoki.

To start seeing this problem, compare the output of listing tokens with the opencryptoki "pkcsconf" command:

1) When only the software token is configured in /var/lib/opencryptoki/pk_config_data:

Token #0 Info:
 Label: IBM OS PKCS#11
 Manufacturer: IBM Corp.
 Model: IBM SoftTok
 Serial Number: 123
 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 4-8
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 01:53:10 PM

2) When only using the TPM token:

Token #0 Info:
 Label: IBM PKCS#11 TPM Token
 Manufacturer: IBM Corp.
 Model: TPM v1.1 Token
 Serial Number: 123
 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED|)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 6-127
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 01:56:09 PM

3) When both are configured, you see two of whichever is listed first:

Token #0 Info:
 Label: IBM PKCS#11 TPM Token
 Manufacturer: IBM Corp.
 Model: TPM v1.1 Token
 Serial Number: 123
 Flags: 0x80445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 4-8
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 01:55:49 PM
Token #1 Info:
 Label: IBM PKCS#11 TPM Token
 Manufacturer: IBM Corp.
 Model: TPM v1.1 Token
 Serial Number: 123
 Flags: 0x80445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 4-8
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 01:55:49 PM

The out of the box config is to have both the TPM and software tokens configured which is broken.

Using only the software token, I am able to follow the instructions in the original bug report to write a certificate and private key to the token. Just for completeness, these are the commands I used to create the cert and key:

openssl req -outform der -out cert.der -new -x509 -newkey rsa:2048 -keyout key.tmp -subj '/O=dds/CN=dds' -days 3650
openssl rsa -inform pem -outform der -in key.tmp -out key.der

And I also used "--attr-from cert.der" argument to pkcs11-tool when writing the certificate and private key to the token.

Actions to take:

1) Test opencryptoki 2.4.1 to confirm this bug still exists in the more recent versions. If the bug is still present, identify root cause (for now, I'm suspecting some poor memory management in the common opencryptoki code).
2) Change the opencryptoki init script to not run pkcs11_star...

Read more...

Stéphane Graber (stgraber)
Changed in opencryptoki (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in opencryptoki (Ubuntu):
status: New → Confirmed
Etienne Goyer (etienne-goyer-outlands)
tags: added: css-sponsored-p rls-mgr-p-tracking
Revision history for this message
David Smith (dds) wrote :

Just a data point, I built packages of opencryptoki 2.4.1 and confirmed the bug is still present there.

Revision history for this message
David Smith (dds) wrote :

FYI I am taking over maintenance of opencryptoki in Debian (http://bugs.debian.org/543925). Thomas Bushnell, BSG will sponsor an upload that contains a fix for this bug. The problem here is that when opencryptoki dlopen()'s its backend libraries, it currently specifies RTLD_GLOBAL, where it should be specifying RTLD_LOCAL, so that the global variables don't conflict between the software backend and TPM backend. I will ping this bug again when the fix packaged is uploaded in sid.

Stéphane Graber (stgraber)
Changed in opencryptoki (Ubuntu):
assignee: Stéphane Graber (stgraber) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.