[Bug 942381] Re: tpm and software token cannot be used together

Stéphane Graber stgraber at stgraber.org
Mon Nov 9 19:43:10 UTC 2015 

** Changed in: opencryptoki (Ubuntu)
     Assignee: Stéphane Graber (stgraber) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to opencryptoki in Ubuntu.
https://bugs.launchpad.net/bugs/942381

Title:
  tpm and software token cannot be used together

Status in opencryptoki package in Ubuntu:
  Confirmed

Bug description:
  I cannot write objects to a TPM-backed opencryptoki token.  Although
  writes appear to succeed and the count of objects seems to have been
  updated, you can't read attributes from any objects or use them for
  crypto operations.

  This happens on Precise with version 2.3.1+dfsg-3 of opencryptoki.

  Steps to reproduce (as root):
  1.  Enable and clear the TPM in BIOS.
  2.  Install trousers, opencryptoki, and opensc.
  3.  Take ownership of the TPM with tpm_takeownership.
  4.  Initialize the PKCS#11 token and set SO and user PINs:
          - pkcsconf -I -c 0 -S 87654321
          - pkcsconf -P -c 0 -S 87654321 -n 111111
          - pkcsconf -u -c 0 -S 111111 -n 000000
  5.  Write any X.509 certificate in DER format to the token:
          - pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 --write-object cert.der --type cert --id 1
  6.  Attempt to list objects in the token:
          - pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 -O

  Expected results:
  pkcs11-tool should list one certificate object and exit with no warnings.

  Actual results:
  pkcs11-tool reports lots of warnings and doesn't seem to know anything about the certificate:

  --------
  # pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so.0 --login --pin 000000 -O                                        
  Using slot 0 with a present token (0x0)
  warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  Data object 1
  warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

    label:          <empty>
  warning: PKCS11 function C_GetAttributeValue(APPLICATION) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

    application:    <empty>
  warning: PKCS11 function C_GetAttributeValue(OBJECT_ID) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

    app_id:         <empty>
  warning: PKCS11 function C_GetAttributeValue(MODIFIABLE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

  warning: PKCS11 function C_GetAttributeValue(PRIVATE) failed: rv =
  CKR_ATTRIBUTE_SENSITIVE (0x11)

    flags:          
  --------

  Additionally, no object file seems to have been written to disk.
  Opencryptoki should have written a numbered object file to
  /var/lib/opencryptoki/tpm/root/TOK_OBJ, but this directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/942381/+subscriptions

More information about the foundations-bugs mailing list