Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip login if token does not require login #258

Merged
merged 1 commit into from
Aug 2, 2023
Merged

Skip login if token does not require login #258

merged 1 commit into from
Aug 2, 2023

Conversation

CharlieYJH
Copy link
Contributor

Encountered an issue with tokens that don't require login while using this provider with https://github.com/tpm2-software/tpm2-pkcs11 where sign operations would not complete properly and always produced an error due to login error.

This is a proposal to just skip the token login if the flag CKF_LOGIN_REQUIRED is not present.

I'm not sure if there are any side effects to this but it at least solved my issue.

@simo5
Copy link
Member

simo5 commented Jul 9, 2023

I am not sure this is the right place where to fix it.
Can you provide a log of what happens with your tpm2-pkcs11 configuration?

It may make sense to rather ignore login errors and attempt to continue than not attempting login at all. I will form a better opinion if I can see the log.

@CharlieYJH
Copy link
Contributor Author

Hey, thanks for the feedback. Yeah I wasn't sure if this would be the best place to fix it either. You can find the log below at log level 2:

[provider.c:1340] OSSL_provider_init(): Provided config params:
[provider.c:1350] OSSL_provider_init():   pkcs11-module-path: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-init-args: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-token-pin: [****]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-allow-export: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-login-behavior: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-load-behavior: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-cache-pins: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-cache-keys: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-quirks: [none]
[provider.c:1350] OSSL_provider_init():   pkcs11-module-cache-sessions: [none]
[provider.c:1369] OSSL_provider_init(): PIN not available
[provider.c:1383] OSSL_provider_init(): Export allowed
[provider.c:1402] OSSL_provider_init(): Login behavior: auto
[provider.c:1419] OSSL_provider_init(): PINs will not be cached
[provider.c:1436] OSSL_provider_init(): Key caching: in session object
[provider.c:1477] OSSL_provider_init(): No quirks
[provider.c:1496] OSSL_provider_init(): Cache Sessions: 5
[provider.c:1509] OSSL_provider_init(): Load behavior: default
[store.c:193] p11prov_store_open(): object open (0x2fb9c00, pkcs11:token=obj-token;type=private)
[interface.c:289] p11prov_module_init(): PKCS#11: Initializing the module: /home/charlieyjh/Documents/libtpm2_pkcs11.so
[interface.c:173] p11prov_interface_init(): C_GetInterface() not available. Falling back to C_GetFunctionList(): /home/charlieyjh/Documents/libtpm2_pkcs11.so: undefined symbol: C_GetInterface
[interface.c:101] populate_interface(): Populating Interfaces with 'Internal defaults', version 2.40
[interface.gen.c:13] p11prov_Initialize(): Calling C_Initialize
[interface.gen.c:51] p11prov_GetInfo(): Calling C_GetInfo
[interface.c:325] p11prov_module_init(): Module Info: ck_ver:2.40 lib: 'tpm2-software.github.io' 'TPM2.0 Cryptoki' ver:1.9
[interface.gen.c:112] p11prov_GetSlotList(): Calling C_GetSlotList
[interface.gen.c:112] p11prov_GetSlotList(): Calling C_GetSlotList
[interface.gen.c:132] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[interface.gen.c:152] p11prov_GetTokenInfo(): Calling C_GetTokenInfo
[session.c:105] p11prov_session_pool_init(): Creating new session pool
[provider.c:607] p11prov_ctx_cache_sessions(): cache_sessions = 5
[session.c:132] p11prov_session_pool_init(): New session pool 0x2fda580 created
[objects.c:69] p11prov_obj_pool_init(): Creating new object pool
[objects.c:84] p11prov_obj_pool_init(): New object pool 0x2fda5e0 created
[interface.gen.c:215] p11prov_OpenSession(): Calling C_OpenSession
[interface.gen.c:446] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[interface.gen.c:468] p11prov_FindObjects(): Calling C_FindObjects
[interface.gen.c:488] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[slot.c:68] get_slot_profiles(): No profiles for slot 1
[interface.gen.c:234] p11prov_CloseSession(): Calling C_CloseSession
[interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
[slot.c:100] get_slot_mechanisms(): Slot(1) mechs found: 33
[interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
  ID: 1
  Description:      [obj-token]
  Manufacturer ID:  [IBM]
  Flags (0x000005):

    CKF_TOKEN_PRESENT         (0x000001)
    CKF_HW_SLOT               (0x000004)
  Hardware Version: 1.64
  Firmware Version: 25.35

Token Info:
  Label:            [obj-token]
  Manufacturer ID:  [IBM]
  Model:            [SW   TPM]
  Serial Number:    [0000000000000000]
  Flags (0x000409):

    CKF_RNG                             (0x000001)
    CKF_USER_PIN_INITIALIZED            (0x000008)
    CKF_TOKEN_INITIALIZED               (0x000400)
  Session Count      Max: 1024  Current:   0
  R/W Session Count  Max: 1024  Current:   0
  Pin Len Range: 0-128
  Public  Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Private Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Hardware Version: 1.64
  Firmware Version: 25.35
  UTC Time: [2023071022001900]

[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_KEY_PAIR_GEN (0):
  min key length: 1024
  max key length: 3072
  flags (0x010001):

    CKF_HW                    (0x000001)
    CKF_GENERATE_KEY_PAIR     (0x010000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_X_509 (3):
  min key length: 1024
  max key length: 3072
  flags (0x002b01):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS (1):
  min key length: 1024
  max key length: 3072
  flags (0x002b01):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_PSS (13):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_OAEP (9):
  min key length: 1024
  max key length: 3072
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS (6):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS (65):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS (66):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS_PSS (14):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS_PSS (67):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS_PSS (68):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS_PSS (69):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_KEY_PAIR_GEN (4160):
  min key length: 192
  max key length: 638
  flags (0x010001):

    CKF_HW                    (0x000001)
    CKF_GENERATE_KEY_PAIR     (0x010000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA (4161):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA1 (4162):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA256 (4164):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA384 (4165):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA512 (4166):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_KEY_GEN (4224):
  min key length: 16
  max key length: 32
  flags (0x008001):

    CKF_HW                    (0x000001)
    CKF_GENERATE              (0x008000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC (4226):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC_PAD (4229):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CFB128 (8455):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB (4225):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTR (4230):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1 (544):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256 (592):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384 (608):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512 (624):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC (545):
  min key length: 20
  max key length: 20
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC (593):
  min key length: 32
  max key length: 32
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC (609):
  min key length: 48
  max key length: 48
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC (625):
  min key length: 64
  max key length: 64
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
  No profiles specified

[interface.gen.c:132] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[interface.gen.c:152] p11prov_GetTokenInfo(): Calling C_GetTokenInfo
[session.c:105] p11prov_session_pool_init(): Creating new session pool
[provider.c:607] p11prov_ctx_cache_sessions(): cache_sessions = 5
[session.c:132] p11prov_session_pool_init(): New session pool 0x3004d60 created
[objects.c:69] p11prov_obj_pool_init(): Creating new object pool
[objects.c:84] p11prov_obj_pool_init(): New object pool 0x3004770 created
[interface.gen.c:215] p11prov_OpenSession(): Calling C_OpenSession
[interface.gen.c:446] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[interface.gen.c:468] p11prov_FindObjects(): Calling C_FindObjects
[interface.gen.c:488] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[slot.c:68] get_slot_profiles(): No profiles for slot 2
[interface.gen.c:234] p11prov_CloseSession(): Calling C_CloseSession
[interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
[slot.c:100] get_slot_mechanisms(): Slot(2) mechs found: 28
[interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
  ID: 2
  Description:      []
  Manufacturer ID:  [IBM]
  Flags (0x000005):

    CKF_TOKEN_PRESENT         (0x000001)
    CKF_HW_SLOT               (0x000004)
  Hardware Version: 1.64
  Firmware Version: 25.35

Token Info:
  Label:            []
  Manufacturer ID:  [IBM]
  Model:            [SW   TPM]
  Serial Number:    [0000000000000000]
  Flags (0x000001):

    CKF_RNG                             (0x000001)
  Session Count      Max: 1024  Current:   0
  R/W Session Count  Max: 1024  Current:   0
  Pin Len Range: 0-128
  Public  Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Private Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Hardware Version: 1.64
  Firmware Version: 25.35
  UTC Time: [2023071022001900]

[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_KEY_PAIR_GEN (0):
  min key length: 1024
  max key length: 3072
  flags (0x010001):

    CKF_HW                    (0x000001)
    CKF_GENERATE_KEY_PAIR     (0x010000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_X_509 (3):
  min key length: 1024
  max key length: 3072
  flags (0x002b01):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS (1):
  min key length: 1024
  max key length: 3072
  flags (0x002b01):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_OAEP (9):
  min key length: 1024
  max key length: 3072
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS (6):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS (65):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS (66):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_KEY_PAIR_GEN (4160):
  min key length: 192
  max key length: 638
  flags (0x010001):

    CKF_HW                    (0x000001)
    CKF_GENERATE_KEY_PAIR     (0x010000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA (4161):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA1 (4162):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA256 (4164):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA384 (4165):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA512 (4166):
  min key length: 192
  max key length: 638
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_KEY_GEN (4224):
  min key length: 16
  max key length: 32
  flags (0x008001):

    CKF_HW                    (0x000001)
    CKF_GENERATE              (0x008000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC (4226):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC_PAD (4229):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CFB128 (8455):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB (4225):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTR (4230):
  min key length: 16
  max key length: 32
  flags (0x000301):

    CKF_HW                    (0x000001)
    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1 (544):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256 (592):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384 (608):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512 (624):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC (545):
  min key length: 20
  max key length: 20
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC (593):
  min key length: 32
  max key length: 32
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC (609):
  min key length: 48
  max key length: 48
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC (625):
  min key length: 64
  max key length: 64
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
  No profiles specified

[random.c:85] p11prov_rand_generate(): rand: generate (add bytes: 0)
[session.c:712] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[session.c:744] p11prov_get_session(): cycle through available slots
[session.c:484] check_slot(): Checking Slot id=1, uri=(nil), mechtype=ffffffffffffffff, rw=false)
[session.c:780] p11prov_get_session(): Found a slot 1
[session.c:252] session_new(): Creating new P11PROV_SESSION session on pool 0x2fda580
[session.c:286] session_new(): Total sessions: 1
[interface.gen.c:215] p11prov_OpenSession(): Calling C_OpenSession
[session.c:72] token_session_open(): C_OpenSession ret:0 (session: 72057594037927937)
[interface.gen.c:884] p11prov_GenerateRandom(): Calling C_GenerateRandom
[util.c:554] p11prov_parse_uri(): ctx=0x2fb9c00 uri=pkcs11:token=obj-token;type=private)
[util.c:360] parse_utf8str(): String [obj-token] -> [obj-token]
[util.c:360] parse_utf8str(): String [private] -> [private]
[store.c:472] p11prov_store_set_ctx_params(): set ctx params (0x3013bd0, 0x7fff9f6d0a30)
[store.c:414] p11prov_store_eof(): store eof (0x3013bd0)
[store.c:246] p11prov_store_load(): store load (0x3013bd0)
[store.c:92] store_fetch(): called (store_ctx=0x3013bd0)
[provider.c:589] p11prov_ctx_login_behavior(): login_behavior = 0
[session.c:712] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[session.c:744] p11prov_get_session(): cycle through available slots
[session.c:484] check_slot(): Checking Slot id=1, uri=0x3013c80, mechtype=ffffffffffffffff, rw=false)
[session.c:780] p11prov_get_session(): Found a slot 1
[interface.gen.c:254] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[objects.c:918] p11prov_obj_find(): Find objects [class=3, id-len=0, label=(null)]
[interface.gen.c:446] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[interface.gen.c:468] p11prov_FindObjects(): Calling C_FindObjects
[interface.gen.c:468] p11prov_FindObjects(): Calling C_FindObjects
[interface.gen.c:488] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000000
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000100
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000171
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000001
[interface.gen.c:405] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000000 value:0x2fb8870, len:8
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000100 value:0x2fb8888, len:8
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000171 value:0x2fb8880, len:1
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000001 value:0x2fb8881, len:1
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000120
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000122
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000102
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000003
[interface.gen.c:405] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[util.c:61] p11prov_fetch_attributes(): (Re)Fetching 4 attributes
[interface.gen.c:405] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000120 value:0x3011360, len:256
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000122 value:0x2fc6930, len:3
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000102 value:0x3025710, len:16
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x00000003 value:0x3014310, len:12
[util.c:24] p11prov_fetch_attributes(): Fetching attributes (0): 0x40000600
[interface.gen.c:405] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[util.c:61] p11prov_fetch_attributes(): (Re)Fetching 1 attributes
[interface.gen.c:405] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[util.c:67] p11prov_fetch_attributes(): Attribute| type:0x40000600 value:0x3011010, len:88
[objects.c:998] p11prov_obj_find(): Find objects: found 1 objects; Returning 0
[session.c:712] p11prov_get_session(): Get session on slot 2, reqlogin=false, rw=false
[session.c:744] p11prov_get_session(): cycle through available slots
[session.c:484] check_slot(): Checking Slot id=2, uri=0x3013c80, mechtype=ffffffffffffffff, rw=false)
[store.c:124] store_fetch(): Failed to get session to load keys (slotid=2, ret=e0)
[keymgmt.c:551] p11prov_rsa_load(): rsa load 0x2fb8850, 112
[objects.c:387] p11prov_obj_ref_no_cache(): Ref Object: 0x2fb8850 (handle:1)
[keymgmt.c:685] p11prov_rsa_get_params(): rsa get params 0x2fb8850
[keymgmt.c:559] p11prov_rsa_has(): rsa has 0x2fb8850 1
[store.c:429] p11prov_store_close(): store close (0x3013bd0)
[store.c:34] p11prov_store_ctx_free(): store ctx free (0x3013bd0)
[objects.c:418] p11prov_obj_free(): Free Object: 0x2fb8850 (handle:1)
[objects.c:424] p11prov_obj_free(): object free: reference held
[encoder.c:354] p11prov_rsa_encoder_spki_der_encode(): RSA SubjectPublicKeyInfo DER Encoder
[objects.c:1465] get_public_attrs(): Get Public Attributes (obj=0x2fb8850, atrs=0x7fff9f6d0630, num=2)
[keymgmt.c:595] p11prov_rsa_export(): rsa export 0x2fb8850
[provider.c:583] p11prov_ctx_allow_export(): allow_export = 0
[signature.c:1179] p11prov_rsasig_digest_sign_init(): rsa digest sign init (ctx=0x3013ea0, digest=SHA256, key=0x2fb8850, params=(nil))
[objects.c:387] p11prov_obj_ref_no_cache(): Ref Object: 0x2fb8850 (handle:1)
[provider.c:601] p11prov_ctx_cache_keys(): cache_keys = 1
[signature.c:1439] p11prov_rsasig_set_ctx_params(): rsasig set ctx params (ctx=0x3013ea0, params=(nil))
[signature.c:1306] p11prov_rsasig_get_ctx_params(): rsasig get ctx params (ctx=0x3013ea0, params=0x7fff9f6d0950)
[signature.c:1221] p11prov_rsasig_digest_sign_final(): rsa digest sign final (ctx=0x3013ea0, sig=(nil), siglen=0, sigsize=0)
[signature.c:1201] p11prov_rsasig_digest_sign_update(): rsa digest sign update (ctx=0x3013ea0, data=0x2fda190, datalen=389)
[signature.c:781] p11prov_sig_operate_init(): called (sigctx=0x3013ea0, digest_op=true)
[interface.gen.c:194] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 1024
  max key length: 3072
  flags (0x002801):

    CKF_HW                    (0x000001)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[session.c:712] p11prov_get_session(): Get session on slot 1, reqlogin=true, rw=false
[session.c:720] p11prov_get_session(): single-shot request for slot 1
[session.c:484] check_slot(): Checking Slot id=1, uri=(nil), mechtype=40, rw=false)
[interface.gen.c:254] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[signature.c:838] p11prov_sig_operate_init(): Error: 0x00000001; Failed to open session on slot 1
[objects.c:418] p11prov_obj_free(): Free Object: 0x2fb8850 (handle:1)
[objects.c:424] p11prov_obj_free(): object free: reference held
[keymgmt.c:545] p11prov_rsa_free(): rsa free 0x2fb8850
[objects.c:418] p11prov_obj_free(): Free Object: 0x2fb8850 (handle:1)

Just a few details about this. I actually worked around the initial OSSL_STORE_load by inputting an OSSL_PARAM of OSSL_STORE_PARAM_EXPECT = -1 as I saw these lines in the store.c:

    if (ctx->expect == 0 || ctx->expect == OSSL_STORE_INFO_PKEY
        || login_behavior == PUBKEY_LOGIN_ALWAYS) {
        login = true;
    }

Although no such workaround exists for the signing operation it seems like. With the patch I submitted this workaround wasn't necessary as it would just skip the login altogether.

Let me know your thoughts on what might be the best way to solve this issue.

@CharlieYJH
Copy link
Contributor Author

It appears without my patch, it essentially hits this branch and token_login returns CKR_CANCEL.

        } else {
            ret = CKR_CANCEL;
            goto done;
        }

@simo5
Copy link
Member

simo5 commented Jul 11, 2023

So what is happening here is that we are entering token_login() but no pin or callback is available, and this causes the function to exit with CKR_CANCEL ...

The problem with returning CKR_OK here is that this makes the provider think the session is a login session when it really isn't.

Is it normal for TPM modules to not support login at all ?

@CharlieYJH
Copy link
Contributor Author

I'm not sure if it's "normal" but it's certainly one way of using it, since the pkcs11 really just acts as a bridge for the TPM and whatever's trying to use it through a pkcs11 interface. In the same way you wouldn't necessarily enter a password to use the TPM for Windows 11, some may prefer not having a PIN through the pkcs11 interface either for other operations and have it be transparent.

I could definitely try to maybe provide an empty PIN or a callback returning an empty PIN the next chance I get and see if that solves my issue.

@simo5
Copy link
Member

simo5 commented Jul 11, 2023

I see that a Login function is supported by the tpm module you pointed out, and it will be attempted if a pin or a callback function is provided.

Perhaps what we can try is to consider the reqlogin variable provide as input into p11prov_get_session() as an advisory request. And check the slot->token to see if the token actually requires login just before calling slot_login().
If it turns our that CKF_LOGIN_REQUIRED is not set we simply do not proceed without calling slot_login as if reqlogin had been false.

This can be done by changing the value of reqlogin before checking it this way:

reqlogin = reqlogin & slot_check_req_login(slot)

where:

bool p11prov_slot_check_req_login(P11PROV_SLOT *slot)
{
   return slot->token.flags & CKF_LOGIN_REQUIRED;
}

@simo5
Copy link
Member

simo5 commented Jul 11, 2023

We also need to think what the behavior should be if PUBKEY_LOGIN_ALWAYS is set. Probably should always attempt login in that case so a more complex helper function to determine whether to login may be needed.

@CharlieYJH
Copy link
Contributor Author

Right, it does provide Login since there is an option to set a PIN on the slot when creating it via the module, though it is entirely optional.

I quite like that idea. Actually I originally wanted to do it from a more "outside" place than token_login, it totally escaped me that P11PROV_SLOT would contain the necessary info.

I agree here that PUBKEY_LOGIN_ALWAYS should probably force a login. I'll revise the changes and see what we can do.

@simo5
Copy link
Member

simo5 commented Jul 28, 2023

Sorry for dropping the ball here.
I think this looks good.

@CharlieYJH
Copy link
Contributor Author

All good, thanks for reviewing the changes.

@simo5
Copy link
Member

simo5 commented Aug 2, 2023

@CharlieYJH would you mind squashing the commits, the second basically undo the first IIRC

@CharlieYJH
Skip calling into slot_login if the slot does not require login and P…
1d4d857 
…UBKEY_LOGIN_ALWAYS is not set

Signed-off-by: Charlie Yin <charlieyinjunhao@hotmail.com>
@simo5
Copy link
Member

simo5 commented Aug 2, 2023

Thanks for the patch!

@simo5 simo5 merged commit 621fd32 into latchset:main Aug 2, 2023
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CharlieYJH @simo5