thomashabets / simple-tpm-pk11 Goto Github PK
View Code? Open in Web Editor NEWSimple PKCS11 provider for TPM chips
License: Other
simple-tpm-pk11's People
Contributors
Stargazers
Watchers
Forkers
jisqyv jaseg smaresca isomer mscherer jvoorhis zone1511 yuvadm jlucius oliof paultag lanrenags wensunshine puiterwijk valpackett tdubrownik hbcbh1999 alex1818 fars barde leodr99 elmarco yodamaster makadeli jbmukund f0 dds dikshie ugochirico ealloradai oto-ledger maage ryantrinkle lmlsna ezhangle navaneethrameshan neeraj-bansal jeremiah proprietary mkhokhlov fantomascz sanjaymsh gunjubas xenbo lewisxysimple-tpm-pk11's Issues
Compilation fails due to missing -lcrypto
x200 ~/simple-tpm-pk11 master $ ./bootstrap.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `m4'.
libtoolize: copying file `m4/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:7: installing 'm4/compile'
configure.ac:7: installing 'm4/config.guess'
configure.ac:7: installing 'm4/config.sub'
configure.ac:5: installing 'm4/install-sh'
configure.ac:5: installing 'm4/missing'
Makefile.am: installing 'm4/depcomp'
parallel-tests: installing 'm4/test-driver'
./bootstrap.sh 7,74s user 0,22s system 82% cpu 9,588 total
x200 ~/simple-tpm-pk11 master $ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... no
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking tss/tspi.h usability... yes
checking tss/tspi.h presence... yes
checking for tss/tspi.h... yes
checking for Tspi_GetAttribUint32 in -ltspi... yes
checking opencryptoki/pkcs11.h usability... yes
checking opencryptoki/pkcs11.h presence... yes
checking for opencryptoki/pkcs11.h... yes
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
simple-tpm-pk11 version 0.01
Prefix.........: /usr/local
Debug Build....:
C Compiler.....: gcc -g -O2
C++ Compiler...: g++ -g -O2 -std=gnu++0x -Wall
Linker.........: /usr/bin/ld -m elf_x86_64 -ltspi
x200 ~/simple-tpm-pk11 master $ make
make all-recursive
make[1]: Entering directory `/home/michael/simple-tpm-pk11'
Making all in doc
make[2]: Entering directory `/home/michael/simple-tpm-pk11/doc'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/michael/simple-tpm-pk11/doc'
make[2]: Entering directory `/home/michael/simple-tpm-pk11'
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-pk11.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-pk11.Tpo -c -o src/libsimple_tpm_pk11_la-pk11.lo `test -f 'src/pk11.cc' || echo './'`src/pk11.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-pk11.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-pk11.Tpo -c src/pk11.cc -fPIC -DPIC -o src/.libs/libsimple_tpm_pk11_la-pk11.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-pk11.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-pk11.Tpo -c src/pk11.cc -o src/libsimple_tpm_pk11_la-pk11.o >/dev/null 2>&1
mv -f src/.deps/libsimple_tpm_pk11_la-pk11.Tpo src/.deps/libsimple_tpm_pk11_la-pk11.Plo
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-session.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-session.Tpo -c -o src/libsimple_tpm_pk11_la-session.lo `test -f 'src/session.cc' || echo './'`src/session.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-session.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-session.Tpo -c src/session.cc -fPIC -DPIC -o src/.libs/libsimple_tpm_pk11_la-session.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-session.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-session.Tpo -c src/session.cc -o src/libsimple_tpm_pk11_la-session.o >/dev/null 2>&1
mv -f src/.deps/libsimple_tpm_pk11_la-session.Tpo src/.deps/libsimple_tpm_pk11_la-session.Plo
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-tspiwrap.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-tspiwrap.Tpo -c -o src/libsimple_tpm_pk11_la-tspiwrap.lo `test -f 'src/tspiwrap.cc' || echo './'`src/tspiwrap.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-tspiwrap.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-tspiwrap.Tpo -c src/tspiwrap.cc -fPIC -DPIC -o src/.libs/libsimple_tpm_pk11_la-tspiwrap.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-tspiwrap.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-tspiwrap.Tpo -c src/tspiwrap.cc -o src/libsimple_tpm_pk11_la-tspiwrap.o >/dev/null 2>&1
mv -f src/.deps/libsimple_tpm_pk11_la-tspiwrap.Tpo src/.deps/libsimple_tpm_pk11_la-tspiwrap.Plo
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-common.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-common.Tpo -c -o src/libsimple_tpm_pk11_la-common.lo `test -f 'src/common.cc' || echo './'`src/common.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-common.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-common.Tpo -c src/common.cc -fPIC -DPIC -o src/.libs/libsimple_tpm_pk11_la-common.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/libsimple_tpm_pk11_la-common.lo -MD -MP -MF src/.deps/libsimple_tpm_pk11_la-common.Tpo -c src/common.cc -o src/libsimple_tpm_pk11_la-common.o >/dev/null 2>&1
mv -f src/.deps/libsimple_tpm_pk11_la-common.Tpo src/.deps/libsimple_tpm_pk11_la-common.Plo
/bin/bash ./libtool --tag=CXX --mode=link g++ -g -O2 -std=gnu++0x -Wall -version-info 0:0:0 -o libsimple-tpm-pk11.la -rpath /usr/local/lib src/libsimple_tpm_pk11_la-pk11.lo src/libsimple_tpm_pk11_la-session.lo src/libsimple_tpm_pk11_la-tspiwrap.lo src/libsimple_tpm_pk11_la-common.lo -ltspi
libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.8/crtbeginS.o src/.libs/libsimple_tpm_pk11_la-pk11.o src/.libs/libsimple_tpm_pk11_la-session.o src/.libs/libsimple_tpm_pk11_la-tspiwrap.o src/.libs/libsimple_tpm_pk11_la-common.o -ltspi -L/usr/lib/gcc/x86_64-linux-gnu/4.8 -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../.. -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.8/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crtn.o -O2 -Wl,-soname -Wl,libsimple-tpm-pk11.so.0 -o .libs/libsimple-tpm-pk11.so.0.0.0
libtool: link: (cd ".libs" && rm -f "libsimple-tpm-pk11.so.0" && ln -s "libsimple-tpm-pk11.so.0.0.0" "libsimple-tpm-pk11.so.0")
libtool: link: (cd ".libs" && rm -f "libsimple-tpm-pk11.so" && ln -s "libsimple-tpm-pk11.so.0.0.0" "libsimple-tpm-pk11.so")
libtool: link: ar cru .libs/libsimple-tpm-pk11.a src/libsimple_tpm_pk11_la-pk11.o src/libsimple_tpm_pk11_la-session.o src/libsimple_tpm_pk11_la-tspiwrap.o src/libsimple_tpm_pk11_la-common.o
libtool: link: ranlib .libs/libsimple-tpm-pk11.a
libtool: link: ( cd ".libs" && rm -f "libsimple-tpm-pk11.la" && ln -s "../libsimple-tpm-pk11.la" "libsimple-tpm-pk11.la" )
depbase=`echo src/keygen.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/keygen.o -MD -MP -MF $depbase.Tpo -c -o src/keygen.o src/keygen.cc &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo src/common.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/common.o -MD -MP -MF $depbase.Tpo -c -o src/common.o src/common.cc &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo src/tspiwrap.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/tspiwrap.o -MD -MP -MF $depbase.Tpo -c -o src/tspiwrap.o src/tspiwrap.cc &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo src/wrap_main.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
g++ -DHAVE_CONFIG_H -I. -g -O2 -std=gnu++0x -Wall -MT src/wrap_main.o -MD -MP -MF $depbase.Tpo -c -o src/wrap_main.o src/wrap_main.cc &&\
mv -f $depbase.Tpo $depbase.Po
/bin/bash ./libtool --tag=CXX --mode=link g++ -g -O2 -std=gnu++0x -Wall -o stpm-keygen src/keygen.o src/common.o src/tspiwrap.o src/wrap_main.o -ltspi
libtool: link: g++ -g -O2 -std=gnu++0x -Wall -o stpm-keygen src/keygen.o src/common.o src/tspiwrap.o src/wrap_main.o -ltspi
/usr/bin/ld.bfd.real: src/common.o: undefined reference to symbol 'BN_new@@OPENSSL_1.0.0'
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make[2]: *** [stpm-keygen] Error 1
make[2]: Leaving directory `/home/michael/simple-tpm-pk11'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/michael/simple-tpm-pk11'
make: *** [all] Error 2
make 19,68s user 1,02s system 98% cpu 20,999 total
When adding -lcrypto to the command line manually, it works.
Bad tag
Hi,
Can you tag version like
0.01, 0.02
instead of
simple-tpm-pk11-0.01 simple-tpm-pk11-0.02?
Because the tarball I get is simple-tpm-pk11-simple-tpm-pk11-0.02.tar.gz, it's very weird.
Thanks.
stpm-exfiltrate does not return a key or an error
I've generated a key in software and am now trying to exfiltrate it, but after entering the owner password, the utility returns only mod=,exp=,key=
Using the key for ssh logins and ssh key signing works fine, I have the dependencies installed, stpm-keygen did not return any errors or warnings during generation, there's no PIN on the ssh key, the SRK password is the well known secret, I've run tpm_restrictsrk -a and tried clearing the TPM and starting fresh as well as trying all combinations of the 2 TPM settings I saw in the BIOS ( 'PPI provision override' and 'PPI deprovision override').
The OS is Ubuntu 16.04, the issue affects both the version of stpm-exfiltrate from Ubuntu's package repos and the one I got by compiling from git source. The device is a Dell Latitude E5440.
tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.41.1
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: ATML
TPM Version: 01010000
Manufacturer Info: 41544d4c
Sealing to PCR state?
It would be nice to be able to seal the key to the PCR state
Make ssh-add work, and/or document how to make it work
$ ssh-add -s /…/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Could not add card "/…/libsimple-tpm-pk11.so": agent refused operation
x2go client hangs
This may be an X2Go bug, but reporting it here first if this is a known issue. x2go client has a checkbox for "try ssh-agent or default ssh key". If that is checked, it first prompts for a passphrase to decrypt the key. Upon entering the passphrase, it hangs.
Missing information about configure file
Hi,
I would like to use your SW, but I'm not sure how to build your app - you don't have any default configure file and I simply don't know how it should look like. I tried to run bootstrap.sh script which created the configure file, but then it started to complain about missing files in m4 directory: configure: error: cannot find install-sh, install.sh, or shtool in m4 "."/m4
I tried to run following commands:
aclocal # Set up an m4 environment
autoconf # Generate configure from configure.ac
automake --add-missing # Generate Makefile.in from Makefile.am
./configure # Generate Makefile from Makefile.in`
but running configure stopped working on:
checking whether to enable maintainer-specific portions of Makefiles... no
./configure: line 2887: syntax error near unexpected token `dlopen'
./configure: line 2887: `LT_INIT(dlopen)'
Could you plese add some additional information about creating configure file?
Thank you,
Marek
Duplicated reference link in README.md
Support generating larger keys?
According to man Tspi_Context_CreateObject, you should be able to generate keys larger than 2048, even up to 16384 bits! Personally, I'm just more comfortable with a minimum 4096 (justified or not) size.
Were there any issues you've discovered that required limiting the key size?
Seg fault on pkcs11-tool --init-token
The following command produces a seg fault:
pkcs11-tool --module /usr/local/lib/libsimple-tpm-pk11.so --init-token --label "Simple-TPM-PK11 token" -v Using slot 0 with a present token (0x1234)
Please enter the new SO PIN:
Please enter the new SO PIN (again):
[1] 14919 segmentation fault pkcs11-tool --module /usr/local/lib/libsimple-tpm-pk11.so --init-token --labe
I'll try to get some more debug and prod around a bit more.
Allow multiple keys
each "key" line in the config file should add the key, and the pkcs11 module should then present them all.
verify signature
I'm using the stpm-sign command to sign files, but how can I verify that the signature is authentic?
Windows support
Hey there !
I wonder if it would be possible to compile and use this code on a Windows 7 machine or if you are limited to using Unix due to some dependencies.
If possible, what would be the different requirements ?
Fedora 20 required packages
Looks like I needed:
- tpm-tools
- opencryptoki-devel
- trousers-devel
- openssl-devel
I installed the first two from looking at the debian requirements. The last two were determined from ./configure requirements.
Debian package dependencies
Hi, This is a suggestion, not an issue.
Can the follwoing packages apt-get install tpm-tools libtspi-dev libopencryptoki-dev libssl-dev be added as requirements to the debian package? Or at least recommendations. Installing simple-tpm-pk11 is very simple from the instructions on here (github) but not obvious when installed using apt-get.
Regards
Peter
“make check” fails to build due to missing -lpthread
midna /tmp/simple-tpm-pk11-0.0~git20140216 $ make check
Making check in doc
make[1]: Entering directory `/tmp/simple-tpm-pk11-0.0~git20140216/doc'
make[1]: Nothing to be done for `check'.
make[1]: Leaving directory `/tmp/simple-tpm-pk11-0.0~git20140216/doc'
make[1]: Entering directory `/tmp/simple-tpm-pk11-0.0~git20140216'
make stpm-keygen_test stpm-sign_test common_test pk11_test
make[2]: Entering directory `/tmp/simple-tpm-pk11-0.0~git20140216'
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-keygen.o -MD -MP -MF src/.deps/stpm_keygen_test-keygen.Tpo -c -o src/stpm_keygen_test-keygen.o `test -f 'src/keygen.cc' || echo './'`src/keygen.cc
mv -f src/.deps/stpm_keygen_test-keygen.Tpo src/.deps/stpm_keygen_test-keygen.Po
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-keygen_test.o -MD -MP -MF src/.deps/stpm_keygen_test-keygen_test.Tpo -c -o src/stpm_keygen_test-keygen_test.o `test -f 'src/keygen_test.cc' || echo './'`src/keygen_test.cc
mv -f src/.deps/stpm_keygen_test-keygen_test.Tpo src/.deps/stpm_keygen_test-keygen_test.Po
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-common.o -MD -MP -MF src/.deps/stpm_keygen_test-common.Tpo -c -o src/stpm_keygen_test-common.o `test -f 'src/common.cc' || echo './'`src/common.cc
mv -f src/.deps/stpm_keygen_test-common.Tpo src/.deps/stpm_keygen_test-common.Po
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-tspiwrap.o -MD -MP -MF src/.deps/stpm_keygen_test-tspiwrap.Tpo -c -o src/stpm_keygen_test-tspiwrap.o `test -f 'src/tspiwrap.cc' || echo './'`src/tspiwrap.cc
mv -f src/.deps/stpm_keygen_test-tspiwrap.Tpo src/.deps/stpm_keygen_test-tspiwrap.Po
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-fake_tspi.o -MD -MP -MF src/.deps/stpm_keygen_test-fake_tspi.Tpo -c -o src/stpm_keygen_test-fake_tspi.o `test -f 'src/fake_tspi.cc' || echo './'`src/fake_tspi.cc
mv -f src/.deps/stpm_keygen_test-fake_tspi.Tpo src/.deps/stpm_keygen_test-fake_tspi.Po
g++ -DHAVE_CONFIG_H -I. -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -MT src/stpm_keygen_test-libgtest.o -MD -MP -MF src/.deps/stpm_keygen_test-libgtest.Tpo -c -o src/stpm_keygen_test-libgtest.o `test -f 'src/libgtest.cc' || echo './'`src/libgtest.cc
mv -f src/.deps/stpm_keygen_test-libgtest.Tpo src/.deps/stpm_keygen_test-libgtest.Po
/bin/bash ./libtool --tag=CXX --mode=link g++ -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -o stpm-keygen_test src/stpm_keygen_test-keygen.o src/stpm_keygen_test-keygen_test.o src/stpm_keygen_test-common.o src/stpm_keygen_test-tspiwrap.o src/stpm_keygen_test-fake_tspi.o src/stpm_keygen_test-libgtest.o -lcrypto -ltspi
libtool: link: g++ -I/usr/src/gtest -g -O2 -std=gnu++0x -Wall -o stpm-keygen_test src/stpm_keygen_test-keygen.o src/stpm_keygen_test-keygen_test.o src/stpm_keygen_test-common.o src/stpm_keygen_test-tspiwrap.o src/stpm_keygen_test-fake_tspi.o src/stpm_keygen_test-libgtest.o -lcrypto -ltspi
/usr/bin/ld.bfd.real: src/stpm_keygen_test-libgtest.o: undefined reference to symbol 'pthread_key_delete@@GLIBC_2.2.5'
/lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make[2]: *** [stpm-keygen_test] Error 1
make[2]: Leaving directory `/tmp/simple-tpm-pk11-0.0~git20140216'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/tmp/simple-tpm-pk11-0.0~git20140216'
make: *** [check-recursive] Error 1
make check 8,64s user 0,28s system 98% cpu 9,012 total
Problems with openssh >= 7.0
After upgrading openssh to 7.0 this module no longer works
$ ssh-keygen -D libsimple-tpm-pk11.so -vvvv
debug1: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
debug2: pkcs11_add_provider: ignoring uninitialised token in slot 0
no keys
cannot read public key from pkcs11
Too many concurrent signing operations crashes tcsd
Even though the bug is probably in trousers, I'm leaving it here to track.
stpm-keygen -o tmp
echo foobar > x
for i in $(seq 100); do ./stpm-sign -k tmp -f x > o.$i 2>e.$i & done; wait
failure to read public key
Hey,
I have been trying to get this to work on gentoo. Unfortuneatly the command
ssh-keygen -D libsimple-tpm-pk11.so
returns
no keys
cannot read public key from pkcs11
I am on a lenovo thinkpad x220i. I already reseted the tpm and took ownership again, but still the same issue. stpm-sign produces output that seems OK.
The logfile only contains
Mon Apr 6 21:50:42 2015 DEBUG C_GetFunctionList()
Mon Apr 6 21:50:42 2015 DEBUG C_Initialize()
Mon Apr 6 21:50:42 2015 DEBUG C_GetInfo()
Mon Apr 6 21:50:42 2015 DEBUG C_GetSlotList()
Mon Apr 6 21:50:42 2015 DEBUG C_GetSlotList()
Mon Apr 6 21:50:42 2015 DEBUG C_GetTokenInfo()
Mon Apr 6 21:50:46 2015 DEBUG C_OpenSession()
Mon Apr 6 21:50:46 2015 DEBUG C_FindObjectsInit()
Mon Apr 6 21:50:46 2015 DEBUG C_FindObjects()
Mon Apr 6 21:50:46 2015 DEBUG C_GetAttributeValue()
Mon Apr 6 21:50:46 2015 DEBUG C_FindObjects()
Mon Apr 6 21:50:46 2015 DEBUG C_FindObjectsFinal()
Mon Apr 6 21:50:46 2015 DEBUG C_Finalize()
which does not really help me. I tried the 0.03 release and the Head-version. No difference.
How can I debug this? Is there a way to figure out if the key generation in hardware worked as expected? Could it be a problem with newer versions of openssh (6.8 and 6.9)?
libtool package needed on Ubuntu 13.10
The libtool package also needs to be installed to compile the project on Ubuntu 13.10. It's not listed with the other dependencies in the readme.
Have pkcs11 module prompt for SRK PIN
Requested in #25.
There doesn't seem to be a native way to ask for two passwords (key PIN and SRK PIN) with SSH, so this probably necessitates a config option like "srk_pin_ask" and shelling out to ssh-askpass.
stpm-verify fails when built against openssl 1.1
When run using openssl 1.1, stpm-verify always reports:-
"stpm-verify: Exception: RSA_set0_key failed"
In function public_decrypt() [common.cc line 761] the code reads:-
if (RSA_set0_key(rsa.get(), string2bn(key.modulus), string2bn(key.exponent),
NULL)) {
throw std::runtime_error("RSA_set0_key failed");
}
However the man page for RSA_set0_key states:-
"RSA_set0_key(), RSA_set0_factors and RSA_set0_crt_params() return 1 on success or 0 on failure."
If RSA_set0_key returns 1 (success) the exception is thrown. This works with in-line version for openssl 1.0, [lines 55 to 61] because that returns 0,
I think the following will fix this:-
--- common.cc 2017-10-24 20:06:31.000000000 +0100
+++ common.cc.new 2018-08-02 12:25:03.433722093 +0100
@@ -57,7 +57,7 @@
rsa->n = n;
rsa->e = e;
rsa->d = d;
- return 0;
+ return 1;
}
#endif
#ifndef HAVE_RSA_GET0_KEY
@@ -758,7 +758,7 @@
{
// Load key.
RSAWrap rsa;
- if (RSA_set0_key(rsa.get(), string2bn(key.modulus), string2bn(key.exponent),
+ if (!RSA_set0_key(rsa.get(), string2bn(key.modulus), string2bn(key.exponent),
NULL)) {
throw std::runtime_error("RSA_set0_key failed");
}
Segmentation Fault
I am trying to explore the PKCS#11 capability of this library using python-pkcs11. I already setup the system following the README, and I am able to retrieve the public key using ssh-keygen.
However, there is a segmentation fault when I tried the following commands.
import pkcs11
lib = pkcs11.lib("/usr/lib/libsimple-tpm-pk11.so")
lib.get_slots()From the log (after enable debug flag in the configuration), the last line show the following
<Time> DEBUG C_GetSlotList
d2i_X509 failed
Recently I started to encounter an error message "d2i_X509 failed" whenever I try to connect to ssh. The authentication and connection still succeeds, but it is very annoying. If I comment out the use of simple-tpm-pk11 in my config, the error disappear.
Log of ssh -v (possibly sensitive information blotted out, hopefully):
OpenSSH_6.5, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mero/.ssh/config
debug1: /home/mero/.ssh/config line 1: Applying options for *
debug1: /home/mero/.ssh/config line 108: Applying options for nnev
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to XXXX.XXXX.de [XX.XXX.XX.XXX] port 22.
debug1: Connection established.
debug1: manufacturerID cryptokiVersion 0.1 libraryDescription libraryVersion 0.1
debug1: label manufacturerID model serial flags 0x0
debug1: have 1 keys
d2i_X509 failed
debug1: identity file /home/mero/.ssh/id_rsa type 1
debug1: identity file /home/mero/.ssh/id_rsa-cert type -1
debug1: identity file /home/mero/.ssh/id_dsa type 2
debug1: identity file /home/mero/.ssh/id_dsa-cert type -1
debug1: identity file /home/mero/.ssh/id_ecdsa type 3
debug1: identity file /home/mero/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mero/.ssh/id_ed25519 type -1
debug1: identity file /home/mero/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.5p1 Debian-6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.5p1 Debian-6
debug1: match: OpenSSH_6.5p1 Debian-6 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
debug1: Host 'XXXX.XXXX.de' is known and matches the RSA host key.
debug1: Found key in /home/mero/.ssh/known_hosts:71
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: libsimple-tpm-pk11.so
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: pkcs11_provider_unref: 0x7f71bd2b8600 refcount 2
debug1: Authentication succeeded (publickey).
Authenticated to XXXX.XXXX.XX ([XX.XXX.XX.XXX]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
does not compile on Ubuntu 16.04.2 LTS (Xenial Xerus) - wrong ar options
Hi,
simpler-tpm-pk11 does not compile due to ar option problems
ource='src/session.cc' object='src/libsimple_tpm_pk11_la-session.lo' libtool=yes \
DEPDIR=.deps depmode=none /bin/bash ./m4/depcomp \
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c -o src/libsimple_tpm_pk11_la-session.lo `test -f 'src/session.cc' || echo './'`src/session.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/session.cc -o src/.libs/libsimple_tpm_pk11_la-session.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/session.cc >/dev/null 2>&1
source='src/tspiwrap.cc' object='src/libsimple_tpm_pk11_la-tspiwrap.lo' libtool=yes \
DEPDIR=.deps depmode=none /bin/bash ./m4/depcomp \
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c -o src/libsimple_tpm_pk11_la-tspiwrap.lo `test -f 'src/tspiwrap.cc' || echo './'`src/tspiwrap.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/tspiwrap.cc -o src/.libs/libsimple_tpm_pk11_la-tspiwrap.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/tspiwrap.cc >/dev/null 2>&1
source='src/common.cc' object='src/libsimple_tpm_pk11_la-common.lo' libtool=yes \
DEPDIR=.deps depmode=none /bin/bash ./m4/depcomp \
/bin/bash ./libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c -o src/libsimple_tpm_pk11_la-common.lo `test -f 'src/common.cc' || echo './'`src/common.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/common.cc -o src/.libs/libsimple_tpm_pk11_la-common.o
libtool: compile: g++ -DHAVE_CONFIG_H -I. -std=gnu++0x -Wall -c src/common.cc >/dev/null 2>&1
/bin/bash ./libtool --tag=CXX --mode=link g++ -std=gnu++0x -Wall -version-info 0:0:0 -o libsimple-tpm-pk11.la -rpath /usr/local/lib src/libsimple_tpm_pk11_la-pk11.lo src/libsimple_tpm_pk11_la-session.lo src/libsimple_tpm_pk11_la-tspiwrap.lo src/libsimple_tpm_pk11_la-common.lo -lcrypto -ltspi
libtool: link: (cd ".libs" && rm -f "libsimple-tpm-pk11.so.0" && ln -s "libsimple-tpm-pk11.so.0.0.0" "libsimple-tpm-pk11.so.0")
libtool: link: (cd ".libs" && rm -f "libsimple-tpm-pk11.so" && ln -s "libsimple-tpm-pk11.so.0.0.0" "libsimple-tpm-pk11.so")
libtool: link: ar cru .libs/libsimple-tpm-pk11.a src/libsimple_tpm_pk11_la-pk11.o src/libsimple_tpm_pk11_la-session.o src/libsimple_tpm_pk11_la-tspiwrap.o src/libsimple_tpm_pk11_la-common.o
ar: `u' modifier ignored since `D' is the default (see `U')
ar: src/libsimple_tpm_pk11_la-pk11.o: No such file or directory
Makefile:873: recipe for target 'libsimple-tpm-pk11.la' failed
make[2]: *** [libsimple-tpm-pk11.la] Error 1
make[2]: Leaving directory '/home/fkoch/src/simple-tpm-pk11'
Makefile:1581: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/fkoch/src/simple-tpm-pk11'
Makefile:770: recipe for target 'all' failed
make: *** [all] Error 2
to fix this the configure needs this patch
--- configure.orig 2017-05-17 11:34:05.718523172 +0200
+++ configure 2017-05-17 11:34:44.061930169 +0200
@@ -5759,7 +5759,7 @@
fi
: ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
@@ -7483,8 +7483,8 @@
_LT_EOF
echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
$LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
- echo "$AR cru libconftest.a conftest.o" >&5
- $AR cru libconftest.a conftest.o 2>&5
+ echo "$AR cr libconftest.a conftest.o" >&5
+ $AR cr libconftest.a conftest.o 2>&5
echo "$RANLIB libconftest.a" >&5
$RANLIB libconftest.a 2>&5
cat > conftest.c << _LT_EOF
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
No slot with token was found when using pkcs11-tool
Note: My ultimate goal here is to create a RSA key pair, load a certificate onto the "token" and have it be used with OpenVPN.
Simple-tpm key generation and signing is working, however I can't seem to integrate it with other pkcs11 tools, namely the aptly named pkcs11-tool. The following command shows an empty token:
pkcs11-tool --module /usr/local/lib/libsimple-tpm-pk11.so -T
Available slots:
Slot 0 (0x1234): Simple-TPM-PK11 slot
(empty)
However, trying to init the token fails:
strace pkcs11-tool --module /usr/local/lib/libsimple-tpm-pk11.so --init-token
[snip]
open("/home/debian/.simple-tpm-pk11/config", O_RDONLY|O_LARGEFILE) = 3
read(3, "key my.key\n", 8191) = 11
read(3, "", 8191) = 0
open("", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory)
close(3) = 0
open("/home/debian/.simple-tpm-pk11/config", O_RDONLY|O_LARGEFILE) = 3
read(3, "key my.key\n", 8191) = 11
read(3, "", 8191) = 0
open("", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "No slot with a token was found.\n", 32No slot with a token was found.
) = 32
open("/home/debian/.simple-tpm-pk11/config", O_RDONLY|O_LARGEFILE) = 3
read(3, "key my.key\n", 8191) = 11
read(3, "", 8191) = 0
open("", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory)
close(3) = 0
exit_group(1) = ?
+++ exited with 1 +++
It looks like simple-tpm finds the config file, but then can't load the key?
TPM2.0 support ?
Hi I was wondering if simple-tpm-pk11 currently supports tpm 2.0.
I just started to play around with my tpm and really like this simple-tpm-pk11 love that my private ssh rsa 2048 is stored within the tpm but it would be really cool to be able to implement some ECC keys.
problems using openssh 8?
This is is fedora 30 using openssh 7.9 and openssh 8. With 8 It does not work anymore for me.
works:
debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so
debug1: provider /home/user/lib/libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
debug1: provider pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400
debug1: have 1 keys
debug1: Local version string SSH-2.0-OpenSSH_7.9
does not work:
debug1: identity file 'pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so' from pkcs#11
debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so
debug1: provider /home/user/lib/libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
debug1: provider pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400
invalid attribute length
failed to fetch key
invalid attribute length
failed to fetch key
debug1: pkcs11_provider_finalize: 0x12345 refcount 1 valid 1
debug1: pkcs11_module_unref: 0x12345 refcount 1
debug1: pkcs11_module_finalize: 0x12345 refcount 0 valid 1
debug1: pkcs11_provider_unref: 0x12345 refcount 1
debug1: pkcs11_add_provider_by_uri: provider pkcs11:?module-path=/home/user/lib/libsimple-tpm-pk11.so returned no keys
debug1: Local version string SSH-2.0-OpenSSH_8.0
Extracting public key fails
Creating and signing works fine but when I try to extract the public key in SSH format I get:
~/.simple-tpm-pk11$ ssh-keygen -D libsimple-tpm-pk11.so
C_GetTokenInfo failed: 6
no keys
cannot read public key from pkcs11
Can it be related to the fact that I have SRK password set? The log is empty and my config is:
~/.simple-tpm-pk11$ ls
config key.log ssh.key
~/.simple-tpm-pk11$ cat config
key ssh.key
log key.log
Error running bootstrap.sh
I am trying to use your app but I am getting this error when running the bootstrap.sh:
./bootstrap.sh
configure.ac:41: error: possibly undefined macro: AC_ENABLE_SHARED
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:42: error: possibly undefined macro: AC_DISABLE_STATIC
configure.ac:43: error: possibly undefined macro: AC_PROG_LIBTOOL
autoreconf: /usr/bin/autoconf failed with exit status: 1
I am on CentOS 6.6.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.