I am relatively newbie to these technologies and I am a bit lost about what to do with the error message I currently face.
To put things right, I have an embedded system running Linux 5.10 on which I try to communicate with the TPM2.0 chip (Infineon SLB9670). I have at disposal every tpm2 high-level libraries and it is working quite well (tpm2-tss, tpm2-abrmd, tmp2-tools, tpm2-openssl, tpm2-pkcs11).
The thing is, I now try to use OpenSSL 3.2.2 to sign a file with the rsa key I generated on the slot 1 of my PKCS11 implementation on the TPM2.0.
Here is the slot on which I generated my key:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so -L
Available slots:
Slot 0 (0x1): test token
token label : test token
token manufacturer : Infineon
token model : SLM9670
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.38
firmware version : 13.11
serial num : 0000000000000000
pin min/max : 0/128
Slot 1 (0x2):
token state: uninitialized
And the key itself:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so --slot=1 --login --pin=testuserpin --list-objects
Public Key Object; RSA 2048 bits
label: rsakey
Usage: encrypt, verify
Access: local
Private Key Object; RSA
label: rsakey
Usage: decrypt, sign
Access: sensitive, always sensitive, never extractable, local
Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA1-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
Now, I am trying to sign a certificate using OpenSSL and the private key from the PKCS11 implementation on the TPM using the following command:
# OPENSSL_CONF=$HOME/tpm2-pkcs11.openssl.conf openssl pkeyutl -provider tpm2 -sign -inkey 'pkcs11:slot-id=1;type=private;object=rsakey' -in data.txt -out data.sig
The tpm2-pkcs11.openssl.conf looks like this:
openssl_conf = openssl_init
[openssl_init]
providers = provider_section
[provider_section]
pkcs11 = pkcs11_section
[pkcs11_section]
module = /usr/lib/libtpm2_pkcs11.so
[ req ]
distinguished_name = req_dn
string_mask = utf8only
utf8 = yes
[ req_dn ]
commonName = Sample Config
When I enter the command, it is said that openssl cannot find any private key to use:
Could not open file or uri for loading private key from pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin
0023F1B6:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:263:calling stat(pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin)
0023F1B6:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:360:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
pkeyutl: Error initializing context
Well, you have everything... hoping someone can enlighten me on this matter ^^
See the example in man provider-pkcs11
openssl.cnf:
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
module = /usr/lib64/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib64/pkcs11/vendor_pkcs11.so
pkcs11-module-token-pin = /etc/ssl/pinfile.txt
activate = 1
As you can see in the example in module you have to provide the path of shared object file of the openssl provider and not the path of the pkcs11 driver.
You can find the pkcs11-provider project here: https://github.com/latchset/pkcs11-provider. You can install it with sudo yum install pkcs11-provider.
You have to provide the path of libtpm2_pkcs11.so not in module but in pkcs11-module-path.