CSR generation failed in openssl-3.0.9 version due to the authorization HMAC check failed and DA counter incremented
sumanth797 opened this issue · 2 comments
Hi,
We are trying to generate the CSR file using openssl command with tpm2 and this is what we got after running it,
sudo openssl req -new -provider-path /usr/lib64/ossl-packages -provider tpm2 -key handle:0x81010002 -out test2.csr -config csr.cnf
output after running the above command
PROVIDER INIT
STORE/OBJECT OPEN handle:0x81010002
STORE/OBJECT SET_PARAMS [ expect ]
STORE/OBJECT LOAD
STORE/OBJECT LOAD pkey
STORE/OBJECT LOAD found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 1
STORE/OBJECT CLOSE
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa pkcs1/der DOES_SELECTION 0x86
ENCODER rsa pkcs1/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der ENCODE 0x86
RSA GET_PARAMS [ default-digest mandatory-digest ]
RSA GET_PARAMS [ default-digest mandatory-digest ]
SIGN DIGEST_INIT rsa MD=(null)
SIGN GET_CTX_PARAMS [ algorithm-id ]
SIGN DIGEST_SIGN estimate
SIGN DIGEST_SIGN
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x0000098e)
405167A7BB7F0000:error:4000000F:tpm2:tpm2_signature_digest_sign:cannot sign:src/tpm2-provider-signature.c:506:2446 tpm:session(1):the authorization HMAC check failed and DA counter incremented
405167A7BB7F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:284:
RSA FREE
PROVIDER TEARDOWN
It is throwing this the authorization HMAC check failed and DA counter incremented
Before generating the CSR, we are running these commands,
For enabling tpm clear
tpm2_changeauth -c o -p Z75rVG1VY7DplNA1
sudo tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
ownerAuthSet: 0
endorsementAuthSet: 1
lockoutAuthSet: 1
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 1
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x2
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x5
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x5
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0xB
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xC
TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0xE10
TPM2_PT_LOCKOUT_RECOVERY: 0x708
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
For tpm clear
sudo tpm2_clear N1TXvZ9GCHary5Xq
sudo tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 1
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x2
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x5
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x5
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0xB
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xC
TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0xA
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
For tpm initialize
sudo tpm2_changeauth -c endorsement 7aAGPBMlm1VRPNlH
sudo tpm2_dictionarylockout -s -n 32 -t 3600 -l 1800
sudo tpm2_changeauth -c lockout N1TXvZ9GCHary5Xq
sudo tpm2_changeauth -c owner Z75rVG1VY7DplNA1
sudo tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
ownerAuthSet: 1
endorsementAuthSet: 1
lockoutAuthSet: 1
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 1
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x2
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x5
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x5
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0xB
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xC
TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0xE10
TPM2_PT_LOCKOUT_RECOVERY: 0x708
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
For generation of vendor keys
echo pL7R0jPKaVTf3SA2P660A9hojsOGCiXfsls61fr9xjyV4OCcyV5pEg4AQE6a5ivldNaXpJZ8EpXajDw1f1AQibVi5QLkmzcRWOgZ9reoENbZmu0vTtQ6e1DlADSKuLi9AJLTUC34t6idrdEjyg2akneZ5INDsrtZ97Vhqo5zhcDEbO9yhKiOAIsub9fz2J2RMQX6ednsXqdjH6B1EWOtAx2oPav6uZkGeaOc7GoAzA4KI2hQEoZn1GxiprivZN5 |tpm2 createprimary -C e -G rsa2048 -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' -u - -c endorsementkey.ctx -P 7aAGPBMlm1VRPNlH -p e5xGX7sEgVrfDxkg
sudo tpm2_evictcontrol -C o -c endorsementkey.ctx 0x81010001 -P Z75rVG1VY7DplNA1
sudo tpm2_getcap handles-persistent | grep 0x81010001
sudo tpm2_create -C 0x81010001 -a 'fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign' -u vendorkey.pub -r vendorkey.priv -P e5xGX7sEgVrfDxkg -p ynM67sdZjEJesWk6
sudo tpm2_load -C 0x81010001 -u vendorkey.pub -r vendorkey.priv -c vendorkey.ctx -P e5xGX7sEgVrfDxkg
sudo tpm2_evictcontrol -C o -c vendorkey.ctx 0x81010002 -P Z75rVG1VY7DplNA1
sudo tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
ownerAuthSet: 1
endorsementAuthSet: 1
lockoutAuthSet: 1
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 1
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x2
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x5
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x5
TPM2_PT_HR_PERSISTENT: 0x2
TPM2_PT_HR_PERSISTENT_AVAIL: 0x9
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xC
TPM2_PT_ALGORITHM_SET: 0xFFFFFFFF
TPM2_PT_LOADED_CURVES: 0x3
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0xE10
TPM2_PT_LOCKOUT_RECOVERY: 0x708
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0