Openssl3

[l-sousa]

I'm trying to generate a CSR based on a PKCS11 token generated on the TPM2.0

Here is my code:

#!/bin/bash

sudo mkdir ~/openvpn-client || true
cd ~/openvpn-client

# Create certificate Signing Request Configuration

sudo sh -c "cat > client.cnf << EOF
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt                 = no
[ req_distinguished_name ]
C                      = US
ST                     = Foo
L                      = Bar
O                      = Widget Co
OU                     = Internet of Widgets Group
CN                     = $(hostname)
EOF"

# Create the TPM2 PKCS11 Key

# Note: you may need to configure the TCTI for your environment, I used ibmtpm1563 server
# and tpm2-abrmd.
export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
# Set the log-level for debugging so we get more info
export TPM2_PKCS11_LOG_LEVEL=0

# Set up the store location
export TPM2_PKCS11_STORE=~/src/
export PYTHONPATH=~/src/tpm2-pkcs11/tools
sudo rm ~/src/tpm2_pkcs11.sqlite3  || true

sopin=1234
userpin=1234
algorithm="rsa2048"

tpm2_clear
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool init --path=$TPM2_PKCS11_STORE
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addtoken --pid=1 --sopin="$sopin" --userpin="$userpin" --label=openvpn
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool addkey --algorithm="$algorithm" --label=openvpn --userpin="$userpin"

# Set the token TCTI if needed.
/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn

# Create the Certificate Signing Request

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")

export GNUTLS_PIN="$userpin"
export GNUTLS_SO_PIN="$sopin"

p11tool --login --list-all "${TOKEN}" --outfile p11tool.out

PRIVATE_KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')

# # Load the TPM2 provider into OpenSSL
# sudo openssl provider -preactivate -activate -section tpm2 -config ~/.config/openssl.cnf

sudo sh -c "cat >> client.cnf << EOF
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /home/botto/src/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so
MODULE_PATH = /usr/local/lib/libtpm2_pkcs11.so.0
init = 0
EOF"

# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr

yaml_rsa0=$(/home/botto/src/tpm2-pkcs11/tools/tpm2_ptool export --label=openvpn --key-label=openvpn --userpin=1234)
auth_rsa0=$(echo "$yaml_rsa0" | grep "object-auth" | cut -d' ' -f2-)

# I've fixed the format of the following command
openssl req \
    -new \
    -provider tpm2 \
    -provider base \
    -key openvpn.pem \
    -passin "pass:$auth_rsa0

The problem is on the first openssl req command:

# Generate the CSR using the PKCS#11 URI
openssl req -new -engine pkcs11 -key "${PRIVATE_KEY};pin-value=$userpin" -config client.cnf -out client.csr

Problems:

• I can't get openssl to recognize the engine.

• It also does not recognize the URI in the -key argument (example URI: pkcs11:model=SLI9670;manufacturer=Infineon;serial=0000000000000000;token=openvpn;id=%38%37%66%35%30%37%31%35%32%31%66%34%37%31%36%35;type=private;pin-value=1234)

I need to use PKCS11. Otherwise, I would have just gone with tpm2-openssl. I've tried this just for fun, but I can't seem to find compatible versions of the libs. Is there any page that tells which version suite is compatible? Because I've tried the latest releases, and they are incompatible,

[traxtopel]

I had the same issue, see #766