From: Jaureguiberry, IgnacioX <ignaciox.jaureguiberry at intel.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: OpenSSL TLS using tpm2-pkcs11 doesn't work on newer versions
Date: Thu, 23 Jan 2020 19:16:21 +0000 [thread overview]
Message-ID: <bc792ae09d144aa2943754e0f238afea@intel.com> (raw)
In-Reply-To: 476DC76E7D1DF2438D32BFADF679FC5649E787D2@ORSMSX101.amr.corp.intel.com
[-- Attachment #1: Type: text/plain, Size: 5626 bytes --]
These are the software versions on each setup. For the Ubuntu packages I'm putting the Ubuntu package and version, and also de project with its version.
On the Ubuntu 16.04:
Bundled with Ubuntu:
* libssl1.0.0 [1.0.2g-1] - openssl [1.0.2g]
* libp11-2 [0.3.1-1] - libp11 [0.3.1]
* libengine-pkcs11-openssl [0.2.1-1] - engine_pkcs11 [0.2.1]
Tpm2 project libraries, built from sources:
* tpm2-tss [ git sha: eedaf1a - tag 2.3.2 ]
* tpm2-abrmd [ git sha: e275930 - tag 2.3.1 ]
* tpm2-tools [ git sha: c971982 - master ]
* tpm2-pkcs11 [ git sha: 7af62a4 - tag 1.0 ]
On the Ubuntu 18.04 setup:
Bundled with Ubuntu:
* libssl1.1 [1.1.1-1ubuntu2.1] - openssl [1.1.1]
* libengine-pkcs11-openssl [0.4.7-3] - libp11 [0.4.7]
* opensc-pkcs11 [0.17.0-3] - opensc [0.17.0]
* p11-kit-modules [0.23.9-2] - p11-kit [0.23.9]
Tpm2 project libraries, built from sources:
* tpm2-tss [ git sha: eedaf1a - tag 2.3.2 ]
* tpm2-tools [ git sha: c971982 - master ]
* tpm2-pkcs11 [ git sha: 7af62a4 - tag 1.0 ]
I'm sending the logs and function calls captured with pkcs11spy for each setup. The different mechanism in C_SignInit can be seen on them.
-----Original Message-----
From: Roberts, William C
Sent: Thursday, January 23, 2020 11:44 AM
To: Jaureguiberry, IgnacioX <ignaciox.jaureguiberry(a)intel.com>; tpm2(a)lists.01.org
Subject: RE: [tpm2] OpenSSL TLS using tpm2-pkcs11 doesn't work on newer versions
> -----Original Message-----
> From: Ignacio Jaureguiberry [mailto:ignaciox.jaureguiberry(a)intel.com]
> Sent: Wednesday, January 22, 2020 12:36 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] OpenSSL TLS using tpm2-pkcs11 doesn't work on newer
> versions
>
> I was trying to make wpa_supplicant use a tpm2-pkcs11 stored private
> key to authenticate against a RADIUS server, I mentioned about it on this discussion:
> https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/message/AYUBCAF
> CCXITEV
> SWA4IFC466LYS6ZIYX/
>
> With some fixes on tpm2-pkcs11, TLS is working and there is an
> integration test for that here: https://github.com/tpm2-software/tpm2-
> pkcs11/blob/master/test/integration/tls-tests.sh
>
> I wasn't able to reproduce this on Ubuntu 18, and noted that the test
> cases ran on top of an Ubuntu 16.04 image. I tried Ubuntu 16.04 and
> TLS works as in the integration test. I also checked that using latest
> version of wpa_supplicant, it does work with tpm2-pkcs11 and creates an EAP-TLS connection using the TPM.
Increasing our distro coverage is definitely something I need/want to do for tpm2-pkcs11.
I already did this for many of the other tpm2 projects like tpm2-tools and tpm2-tss.
>
> I've debugged a bit in both OS versions and found that openssl is
> calling pkey_rsa_sign with different padding modes: RSA_PKCS1_PADDING
> in Ubuntu 16, and RSA_PKCS1_PSS_PADDING in Ubuntu 18. The consequence
> is that in
This seems like a good change, IIUC PKCS1 padding has some known issues, so changing To PSS is a good move.
> tpm2-pkcs11, sign_init is being called using CKM_RSA_PKCS as mechanism
> on Ubuntu 16, but in Ubuntu 18 it is being called with CKM_RSA_X_509,
> which is not supported.
CKM_RSA_X_509 is supported, it's raw RSA encryption and AFAICT it's been supported since release 1.0. If it's signing with raw RSA, It must apply the PSS padding separately. Which it does looking at OSSL 1_1_1 code:
-- code ---
} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
if (!setup_tbuf(rctx, ctx))
return -1;
if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
rctx->tbuf, tbs,
rctx->md, rctx->mgf1md,
rctx->saltlen))
return -1;
ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
sig, rsa, RSA_NO_PADDING);
---
So this makes sense to what you're seeing hitting the pkey_rsa_sign versus the calls hitting
pkcs11 C_SignInit.
>
> I think I have to file a bug to OpenSSL, but I don't know too much
> about the
> PKCS11 specs to support the claims. I'd appreciate any help to file a decent issue.
> Also, any workaround is welcome, as replacing OpenSSL in any
> distribution is very hard given all the software that depends on it.
Probably not, it's probably something we need to fix in the pkcs11 library which is very much an under development project. We should try and replicate the bug first, and deduce that it is their bug before we file. We don't want to cry wolf here.
I would capture the parameters going into the C_SignInit and subsequent C_Sign calls and create a test in test/integration/pkcs-crypt.int.c that reproduces the error.
If you get me the inputs soon, I can develop this test and get a fix out. I am out all next week Jan 27-Jan31.
Another great way to debug deeper is both pkcs11spy and setting the env variable "export TPM2_PKCS11_DEBUG_LOG=2" to get verbose logs out of the tpm2-pkcs11 Library. You can find the pkcs11spy project at:
https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
Also, specifying versions of OSSL and tpm2-pkcs11 as well as more logs and specific error messages you share, the easier it will be for us to help debug.
Thanks,
Bill
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: openssl_tls_pkcs11_ubuntu16.04.txt --]
[-- Type: text/plain, Size: 22766 bytes --]
PKCS11SPY=/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so openssl s_client -engine pkcs11 -keyform engine -key "$PKCS11_KEY" -CAfile "ca.pem" -cert client_tpm.pem -connect 192.168.160.42:4433
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so"
0: C_GetFunctionList
2020-01-23 14:58:34.532
Returned: 0 CKR_OK
1: C_Initialize
2020-01-23 14:58:34.532
[in] pInitArgs = (nil)
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:265
Returned: 0 CKR_OK
2: C_GetInfo
2020-01-23 14:58:34.544
[out] pInfo:
cryptokiVersion: 2.40
manufacturerID: 'tpm2-software.github.io '
flags: 0
libraryDescription: 'TPM2.0 Cryptoki '
libraryVersion: 1.0
Returned: 0 CKR_OK
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:187
engine "pkcs11" set.
3: C_GetSlotList
2020-01-23 14:58:34.544
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
4: C_GetSlotList
2020-01-23 14:58:34.544
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
5: C_GetSlotInfo
2020-01-23 14:58:34.544
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'label '
'Intel '
manufacturerID: 'Intel '
hardwareVersion: 1.16
firmwareVersion: 45.9
flags: 5
CKF_TOKEN_PRESENT
CKF_HW_SLOT
Returned: 0 CKR_OK
6: C_GetTokenInfo
2020-01-23 14:58:34.561
[in] slotID = 0x1
[out] pInfo:
label: 'label '
manufacturerID: 'Intel '
model: 'Intel '
serialNumber: '0000000000000000'
ulMaxSessionCount: 1024
ulSessionCount: 0
ulMaxRwSessionCount: 1024
ulRwSessionCount: 0
ulMaxPinLen: 128
ulMinPinLen: 0
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 1.16
firmwareVersion: 45.9
time: '2020012317583400'
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
7: C_OpenSession
2020-01-23 14:58:34.562
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x100000000000000
Returned: 0 CKR_OK
8: C_FindObjectsInit
2020-01-23 14:58:34.562
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
9: C_FindObjects
2020-01-23 14:58:34.562
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
10: C_FindObjectsFinal
2020-01-23 14:58:34.562
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
11: C_Login
2020-01-23 14:58:34.562
[in] hSession = 0x100000000000000
[in] userType = CKU_USER
[in] pPin[ulPinLen] 0000000001b9c470 / 9
00000000 6D 79 75 73 65 72 70 69 6E myuserpin
Returned: 0 CKR_OK
12: C_FindObjectsInit
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
13: C_FindObjects
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x1 matches
Returned: 0 CKR_OK
14: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_KEY_TYPE 00007fff631b6f80 / 8
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK
15: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_LABEL 00007fff631b6f90 / 256
[out] pTemplate[1]:
CKA_LABEL 00007fff631b6f90 / 0
Returned: 0 CKR_OK
16: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ID 00007fff631b7090 / 256
[out] pTemplate[1]:
CKA_ID 00007fff631b7090 / 16
00000000 36 33 30 38 32 33 30 38 37 65 65 31 39 65 35 38 630823087ee19e58
Returned: 0 CKR_OK
17: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ID 0000000001bb0520 / 255
[out] pTemplate[1]:
CKA_ID 0000000001bb0520 / 16
00000000 36 33 30 38 32 33 30 38 37 65 65 31 39 65 35 38 630823087ee19e58
Returned: 0 CKR_OK
18: C_FindObjects
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
19: C_FindObjectsFinal
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
20: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 0
[out] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 256
Returned: 0 CKR_OK
21: C_GetAttributeValue
2020-01-23 14:58:34.952
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000001baf030 / 256
[out] pTemplate[1]:
CKA_MODULUS 0000000001baf030 / 256
00000000 C1 B0 B1 01 3F 87 6B 91 D0 B2 5B C4 E6 B7 7E E3 ....?.k...[...~.
00000010 12 BD 56 86 3A CB 9B 75 A6 FC 40 6C 40 CF 9B 7A ..V.:..u..@l@..z
00000020 5E 6C 2B 57 0A E0 22 EF C4 EC 35 07 EF 69 CE 56 ^l+W.."...5..i.V
00000030 7B 73 A6 09 32 01 31 DF 2B 2D 7D D7 5D 20 B0 96 {s..2.1.+-}.] ..
00000040 DB 88 DA E9 12 59 0F E6 8A 7B E1 28 23 F0 DD EB .....Y...{.(#...
00000050 38 FC 89 D3 86 C4 12 69 2F 18 25 BA 0C C0 03 CE 8......i/.%.....
00000060 A1 93 66 A5 57 C9 2A 62 0D 4D FA 83 B9 57 EC B3 ..f.W.*b.M...W..
00000070 03 2D F3 44 0B E6 26 EB 09 C2 11 2B FC 12 C5 ED .-.D..&....+....
00000080 AA E1 DD 55 53 D1 0F 9D 20 00 C2 48 A3 5A BC 3A ...US... ..H.Z.:
00000090 0E AC 7D 21 BF D5 BF FA 39 6D 34 8C 74 5E EE F2 ..}!....9m4.t^..
000000A0 F1 CC 21 49 DD 3A 53 F1 FD F6 BE CA 73 61 A3 11 ..!I.:S.....sa..
000000B0 43 3D D4 0B 47 95 3E D6 14 6E FC 75 BD D8 D5 08 C=..G.>..n.u....
000000C0 1C B4 95 77 C2 C6 7C EC F7 09 7F 1E 70 EE 83 E9 ...w..|....p...
000000D0 EB FA FD B4 FD F1 FD 89 63 99 24 4F EA 81 E4 29 ........c.$O...)
000000E0 2A A3 98 9F 0E 28 DE 1B 13 5B 40 E0 22 F8 18 4A *....(...[@."..J
000000F0 DC 6F 1E AC 1B 9C DD 9E CF 35 2F 44 4B 62 42 C3 .o.......5/DKbB.
Returned: 0 CKR_OK
22: C_GetAttributeValue
2020-01-23 14:58:34.953
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000000000000 / 0
[out] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000000000000 / 3
Returned: 0 CKR_OK
23: C_GetAttributeValue
2020-01-23 14:58:34.953
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000001bb0b70 / 3
[out] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000001bb0b70 / 3
00000000 01 00 01 ...
Returned: 0 CKR_OK
CONNECTED(00000009)
depth=1 C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
verify return:1
depth=0 C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
verify return:1
24: C_GetAttributeValue
2020-01-23 14:58:34.966
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 0
[out] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 256
Returned: 0 CKR_OK
25: C_GetAttributeValue
2020-01-23 14:58:34.966
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000001c113b0 / 256
[out] pTemplate[1]:
CKA_MODULUS 0000000001c113b0 / 256
00000000 C1 B0 B1 01 3F 87 6B 91 D0 B2 5B C4 E6 B7 7E E3 ....?.k...[...~.
00000010 12 BD 56 86 3A CB 9B 75 A6 FC 40 6C 40 CF 9B 7A ..V.:..u..@l@..z
00000020 5E 6C 2B 57 0A E0 22 EF C4 EC 35 07 EF 69 CE 56 ^l+W.."...5..i.V
00000030 7B 73 A6 09 32 01 31 DF 2B 2D 7D D7 5D 20 B0 96 {s..2.1.+-}.] ..
00000040 DB 88 DA E9 12 59 0F E6 8A 7B E1 28 23 F0 DD EB .....Y...{.(#...
00000050 38 FC 89 D3 86 C4 12 69 2F 18 25 BA 0C C0 03 CE 8......i/.%.....
00000060 A1 93 66 A5 57 C9 2A 62 0D 4D FA 83 B9 57 EC B3 ..f.W.*b.M...W..
00000070 03 2D F3 44 0B E6 26 EB 09 C2 11 2B FC 12 C5 ED .-.D..&....+....
00000080 AA E1 DD 55 53 D1 0F 9D 20 00 C2 48 A3 5A BC 3A ...US... ..H.Z.:
00000090 0E AC 7D 21 BF D5 BF FA 39 6D 34 8C 74 5E EE F2 ..}!....9m4.t^..
000000A0 F1 CC 21 49 DD 3A 53 F1 FD F6 BE CA 73 61 A3 11 ..!I.:S.....sa..
000000B0 43 3D D4 0B 47 95 3E D6 14 6E FC 75 BD D8 D5 08 C=..G.>..n.u....
000000C0 1C B4 95 77 C2 C6 7C EC F7 09 7F 1E 70 EE 83 E9 ...w..|....p...
000000D0 EB FA FD B4 FD F1 FD 89 63 99 24 4F EA 81 E4 29 ........c.$O...)
000000E0 2A A3 98 9F 0E 28 DE 1B 13 5B 40 E0 22 F8 18 4A *....(...[@."..J
000000F0 DC 6F 1E AC 1B 9C DD 9E CF 35 2F 44 4B 62 42 C3 .o.......5/DKbB.
Returned: 0 CKR_OK
26: C_GetAttributeValue
2020-01-23 14:58:34.967
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 0
[out] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 256
Returned: 0 CKR_OK
27: C_GetAttributeValue
2020-01-23 14:58:34.967
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000001c10da0 / 256
[out] pTemplate[1]:
CKA_MODULUS 0000000001c10da0 / 256
00000000 C1 B0 B1 01 3F 87 6B 91 D0 B2 5B C4 E6 B7 7E E3 ....?.k...[...~.
00000010 12 BD 56 86 3A CB 9B 75 A6 FC 40 6C 40 CF 9B 7A ..V.:..u..@l@..z
00000020 5E 6C 2B 57 0A E0 22 EF C4 EC 35 07 EF 69 CE 56 ^l+W.."...5..i.V
00000030 7B 73 A6 09 32 01 31 DF 2B 2D 7D D7 5D 20 B0 96 {s..2.1.+-}.] ..
00000040 DB 88 DA E9 12 59 0F E6 8A 7B E1 28 23 F0 DD EB .....Y...{.(#...
00000050 38 FC 89 D3 86 C4 12 69 2F 18 25 BA 0C C0 03 CE 8......i/.%.....
00000060 A1 93 66 A5 57 C9 2A 62 0D 4D FA 83 B9 57 EC B3 ..f.W.*b.M...W..
00000070 03 2D F3 44 0B E6 26 EB 09 C2 11 2B FC 12 C5 ED .-.D..&....+....
00000080 AA E1 DD 55 53 D1 0F 9D 20 00 C2 48 A3 5A BC 3A ...US... ..H.Z.:
00000090 0E AC 7D 21 BF D5 BF FA 39 6D 34 8C 74 5E EE F2 ..}!....9m4.t^..
000000A0 F1 CC 21 49 DD 3A 53 F1 FD F6 BE CA 73 61 A3 11 ..!I.:S.....sa..
000000B0 43 3D D4 0B 47 95 3E D6 14 6E FC 75 BD D8 D5 08 C=..G.>..n.u....
000000C0 1C B4 95 77 C2 C6 7C EC F7 09 7F 1E 70 EE 83 E9 ...w..|....p...
000000D0 EB FA FD B4 FD F1 FD 89 63 99 24 4F EA 81 E4 29 ........c.$O...)
000000E0 2A A3 98 9F 0E 28 DE 1B 13 5B 40 E0 22 F8 18 4A *....(...[@."..J
000000F0 DC 6F 1E AC 1B 9C DD 9E CF 35 2F 44 4B 62 42 C3 .o.......5/DKbB.
Returned: 0 CKR_OK
28: C_SignInit
2020-01-23 14:58:34.967
[in] hSession = 0x100000000000000
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x1
Returned: 0 CKR_OK
29: C_Sign
2020-01-23 14:58:34.995
[in] hSession = 0x100000000000000
[in] pData[ulDataLen] 0000000001c113b0 / 51
00000000 30 31 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 010...`.H.e.....
00000010 00 04 20 86 83 C4 BC 33 59 6A DD 84 8F F0 07 AC .. ....3Yj......
00000020 6F 9E B4 BF 56 07 E7 A5 30 AF CE EC A1 B1 75 19 o...V...0.....u.
00000030 C8 32 CC .2.
[out] pSignature[*pulSignatureLen] 0000000001c05c38 / 256
00000000 94 99 23 F5 D0 34 4C 67 B7 FE A9 57 0A F0 9F EB ..#..4Lg...W....
00000010 22 90 BA 35 B7 78 15 0E C7 E0 D9 EC B5 7C B8 D5 "..5.x.......|..
00000020 38 32 0F 2B 79 25 B6 5D FE 16 8A 65 E9 3F E0 91 82.+y%.]...e.?..
00000030 26 9A 8A AD 37 DE 4E 84 85 19 6B 73 1C 6C 4C 93 &...7.N...ks.lL.
00000040 25 98 05 58 59 D1 E3 65 EE 37 CE 92 A2 86 74 E6 %..XY..e.7....t.
00000050 B4 52 7D 3F 8C E4 40 BC A4 3C E8 F1 8F AC 2F 30 .R}?..@..<..../0
00000060 64 16 B3 5F CC 6B 33 C4 B5 5F FB 87 3F 9B B4 28 d.._.k3.._..?..(
00000070 88 97 9B 6A 00 0E 76 B7 5D DC AE 34 E1 70 12 F1 ...j..v.]..4.p..
00000080 EB 45 CA E4 0B 52 8F 93 4E 58 56 AF 37 4C B7 21 .E...R..NXV.7L.!
00000090 C7 D4 AF 00 AC 84 8C 2F 87 49 43 5E 70 37 CA 63 ......./.IC^p7.c
000000A0 1D 70 1E 61 66 97 DF FE 3D B1 4C C8 B7 18 43 8B .p.af...=.L...C.
000000B0 AD 88 2B 0E E2 F8 D8 BD EF 11 69 D8 49 F0 7B 63 ..+.......i.I.{c
000000C0 A2 F4 08 16 CD 02 FF E5 DA D7 44 A9 AF F4 79 EF ..........D...y.
000000D0 5F 78 0F 70 E7 9F 3D 08 F7 3E 4B C9 B8 42 1A B2 _x.p..=..>K..B..
000000E0 3A A5 00 63 CB 12 E7 37 72 DD 9C BB 47 24 8E 5E :..c...7r...G$.^
000000F0 33 25 AF B7 0A 04 47 0C 4B B4 5B 30 C0 80 A9 90 3%....G.K.[0....
Returned: 0 CKR_OK
---
Certificate chain
0 s:/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org
i:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
1 s:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
i:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDAxMTUy
MTI5NDFaFw0yMDAzMTUyMTI5NDFaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoSmxkYfh/XPMxcN
WFCJMk/GqIxAKdWKOYMefG/r0+s+uHwAcvSxHnz+duVosCckdAaNfnM5IjYLjIdi
JwoBrtFT5PDFWd0ykytzo2kIqKeredX8GuEfRs/xPkDFhDGx4xXsLOrYjLgNrzuJ
d5bP/SNUF6OJzRqilfQ4oSQrzX3VFCODTj5uy9BNHqT7poy4zrF7YfLzcZJEE/Xc
qLEsgaUB9K6/um9XouC/+Hs/3XUPe1st1U9HAvEpzOifOzW+4q8qvrJNOOtakXJb
DhSkpNgR9KnY2ZRvwrURTUF9POFjApbgqGw6yP7SQsrgFRWunzUkY5mMyxdmqTdh
1YOkTwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
SIb3DQEBCwUAA4IBAQAXXXA4MZb+heCjmN/cwZFm9eoFGfWnmIsG2ZglukJX1Kbw
XYQAhQXRGaYq3xsbTL7rFo7Rb3D6Z7yncCKSOb/+BrMgM15jEP5qThrBX9zKMNem
mTU3qjVp/JE1FCZWDKHngInVxzbxp1T5xJcMHziTNKavwr0ArVabA9pvp7q/lGU2
1r5kr+cHJc4y0Whq4MeXKg0ukrEZ4rBVYti9BkLetspyl6vvllocCeNFgesOwZta
Ahfh0O1VaHAGP5668R7FKlA1FIjFoZ6c707EoLkf8M8M9E+0ZJP2Kxj9a1AC8vOS
ZWCbqIHQU2YVkyYGy8Uxi7V3TfuL4txEQ7xZoZHH
-----END CERTIFICATE-----
subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org
issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
---
Acceptable client certificate CA names
/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:0x07+0x08:0x08+0x08:0x09+0x08:0x0A+0x08:0x0B+0x08:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4116 bytes and written 2965 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FC09748B44F27A2B0C847AA00EE2497F89222AC22FCD19C0709AEF3E48A9F48D
Session-ID-ctx:
Master-Key: 089ACC3034A7060C63E966EF86AEC7B767FE5D2BD637E770D2F18928554D17B258BCA5CFFABAB094E11B43634CBE5C01
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b4 3e cf f1 0e 2f 6e 10-27 24 89 d5 e9 f3 0d a1 .>.../n.'$......
0010 - 8d 94 a7 0b 20 7b bb ed-5d 5e dc 58 3c 21 32 08 .... {..]^.X<!2.
0020 - 8f a6 67 6a 38 67 4b e8-77 81 74 52 90 98 4f 61 ..gj8gK.w.tR..Oa
0030 - 1f d9 8a b7 7b 8a 6f 35-b0 2e 40 1c 53 e4 8f d8 ....{.o5..@.S...
0040 - ee 34 61 e3 72 df 66 96-ac 01 49 86 4e 8a e0 24 .4a.r.f...I.N..$
0050 - 1d a8 3c d3 5a 66 2b ea-8f 96 5e 5c e3 38 fb 26 ..<.Zf+...^\.8.&
0060 - 6f 81 88 62 23 70 fb 6f-d1 89 fa b8 95 de 87 9c o..b#p.o........
0070 - b3 22 d0 c7 e1 00 63 b5-7b 51 13 3b 9c a5 11 1e ."....c.{Q.;....
0080 - 5a e6 88 68 89 48 e2 2d-a6 ba 44 f7 cf 9c 7d 3d Z..h.H.-..D...}=
0090 - af cf 41 29 ae eb 88 f4-03 f0 76 9f 31 21 af b7 ..A)......v.1!..
00a0 - 9a ac 4b 7f 15 f6 9c 14-67 a2 8c d6 0d 8a 8d 0e ..K.....g.......
00b0 - 3c a5 86 60 bd 61 11 9f-e4 04 15 99 9a ee 10 b4 <..`.a..........
00c0 - 89 eb 3a 50 8d 52 d3 32-14 35 08 93 49 60 b9 64 ..:P.R.2.5..I`.d
00d0 - f2 7a e9 41 ee 84 de 39-40 ae 13 7f dd 8e 3e f2 .z.A...9@.....>.
00e0 - 66 2f 90 8d 64 fa 46 d7-a7 6a c8 65 b5 7b 4b 2b f/..d.F..j.e.{K+
00f0 - b2 93 d4 27 28 68 36 df-fd c5 e1 af e2 51 55 94 ...'(h6......QU.
0100 - 8a b8 52 cc a9 bf c6 f4-24 f7 f8 c3 6e 1f 3e 9e ..R.....$...n.>.
0110 - 7c fc 0f 94 26 73 c0 af-7e a3 3d 44 b0 71 af a0 |...&s..~.=D.q..
0120 - 1c 34 d9 a1 40 3d 47 34-7a 3e a5 3c a4 56 d8 01 .4..@=G4z>.<.V..
0130 - 14 d0 b8 5f 97 ea cc 5c-a7 aa 4f 73 52 f6 37 ee ..._...\..OsR.7.
0140 - bd 15 71 53 63 4b 3c 85-b0 35 e0 9b fe 4d 76 2b ..qScK<..5...Mv+
0150 - 31 8d 9f a9 36 61 48 9f-5e d5 a7 26 ad dd cf 2c 1...6aH.^..&...,
0160 - da d0 a3 8f 71 25 85 ca-2d 33 7c 99 18 7f 12 2b ....q%..-3|....+
0170 - d5 5b 5d 40 f8 ca d1 6d-5c 26 f2 9a 44 cd 19 96 .[]@...m\&..D...
0180 - 98 b3 9c cd 92 cf 4e 54-ec 79 50 18 bb b1 61 53 ......NT.yP...aS
0190 - b2 19 90 d5 35 62 70 25-ce c7 54 5f eb d5 19 b5 ....5bp%..T_....
01a0 - 5b 8a a2 60 4f 58 af 19-4b 70 31 a8 16 2c a0 e6 [..`OX..Kp1..,..
01b0 - 00 53 fb 99 bd df 29 c6-72 d4 7c 85 38 e0 0a 72 .S....).r.|.8..r
01c0 - 6a cc b4 98 7d 09 cb f9-db c5 c3 dd 18 7e fd 00 j...}........~..
01d0 - 43 9f 3c 26 15 e1 be f6-4c db 29 8a 93 81 c3 84 C.<&....L.).....
01e0 - f2 9d db 6c 3d 64 42 4f-34 8d 52 b9 a4 c8 b1 8b ...l=dBO4.R.....
01f0 - c3 ce 38 1a af 11 cf f4-1e 80 a5 11 4f e0 cf d8 ..8.........O...
0200 - b3 d4 3f b8 3f cf 7c 18-53 49 d1 d5 07 ba 1e f8 ..?.?.|.SI......
0210 - f3 37 3f e0 eb d2 09 c6-2b 6c 70 ca 36 68 05 f8 .7?.....+lp.6h..
0220 - 63 e5 1b c5 8e 9a 5c f1-d4 f8 a7 07 e9 d8 d9 55 c.....\........U
0230 - 06 22 90 95 44 62 dc bb-8b 28 44 74 15 77 a8 5f ."..Db...(Dt.w._
0240 - 70 04 2b 09 89 de 5c 1d-65 9d 54 7c 82 5d 36 1a p.+...\.e.T|.]6.
0250 - 80 4e 15 d9 ca 08 17 01-98 98 d4 e7 82 30 74 46 .N...........0tF
0260 - 7c 32 f1 78 f5 6a 25 08-a0 cf 07 48 84 e6 94 bb |2.x.j%....H....
0270 - 51 ee cb b0 bd e6 2c 3c-e9 e2 39 a7 ea 8f ae 1d Q.....,<..9.....
0280 - 6f 82 f7 06 62 25 6f 18-8f f6 94 06 35 a9 ad 3b o...b%o.....5..;
0290 - 91 78 ad ab 41 c3 6f d4-f7 5e 1e 59 fc 81 dd ff .x..A.o..^.Y....
02a0 - 18 a6 b2 3e d7 ae 1d 81-87 96 3a c4 aa 44 3a 7c ...>......:..D:|
02b0 - 56 e9 72 81 9b 2e 5a ba-0b 93 7c ea a5 8a 1c 06 V.r...Z...|.....
02c0 - 1f b0 b0 bf 2e 98 94 b9-ed 1e 5a 46 28 09 ef 5e ..........ZF(..^
02d0 - f4 d1 93 d8 40 22 08 42-22 82 d1 e8 92 6d ab 6d ....@".B"....m.m
02e0 - b9 2e 45 65 7e cc 31 9a-91 ed d6 62 c3 e5 43 68 ..Ee~.1....b..Ch
02f0 - 1e bb e8 ba d5 08 d8 7e-de 7b 43 26 b2 14 43 f0 .......~.{C&..C.
0300 - 41 a6 a6 3e f5 be f9 57-0a 1d 04 dc 44 06 2b 8a A..>...W....D.+.
0310 - f8 d8 1d 6c 1f f3 7b e7-d2 85 84 3a b9 47 41 08 ...l..{....:.GA.
0320 - 42 23 ef 66 db 38 7f 90-c1 2b 32 03 50 03 d7 97 B#.f.8...+2.P...
0330 - a8 3a 43 54 ff 73 f1 07-91 55 c2 14 88 8e 44 d9 .:CT.s...U....D.
0340 - 98 8b 01 12 ae 83 47 0a-8a 2c 42 b2 38 65 74 b5 ......G..,B.8et.
0350 - a8 66 2e b9 59 e0 87 4b-d3 71 9a 37 4a 8d aa 84 .f..Y..K.q.7J...
0360 - 78 12 9b d9 ff bb f0 a4-64 0f 5b f6 d2 64 8c 8a x.......d.[..d..
0370 - bf ca 9a 89 79 2f 3e 26-ab 85 4f 79 b1 db 73 f4 ....y/>&..Oy..s.
0380 - 09 16 5a 34 43 04 fb 4e-93 c9 d7 98 6f 5c 4b 87 ..Z4C..N....o\K.
0390 - a5 af be 31 df 96 c8 40-ee 7e 21 13 61 40 99 67 ...1...@.~!.a@.g
03a0 - ff 37 58 da 3e 7b 16 56-d5 d7 41 3b d6 77 c4 f1 .7X.>{.V..A;.w..
03b0 - 44 b3 70 18 0e 70 68 36-2d 45 17 58 b4 b7 ee 31 D.p..ph6-E.X...1
03c0 - 4d 37 57 dd 4c e2 6e 0b-cb 1a b4 af 82 af 16 28 M7W.L.n........(
03d0 - 2d a4 a1 81 fa 09 9c 34-48 8c c5 f5 40 a6 37 4b -......4H...@.7K
03e0 - dc 4f 19 6c aa 20 fa e7-c1 ce 79 86 8b 06 c3 20 .O.l. ....y....
03f0 - 87 86 44 95 2a 41 9a 1b-81 58 f0 ac ea fd 44 7d ..D.*A...X....D}
0400 - 8a 2f 2c ef de b9 ed 3e-50 56 9e 00 46 0c 20 34 ./,....>PV..F. 4
0410 - de 26 a4 92 8e 85 61 d6-32 1a 11 64 ce 37 9b 3f .&....a.2..d.7.?
0420 - b3 8f 65 fc aa f7 87 b6-57 34 d5 e5 1c 4a 64 62 ..e.....W4...Jdb
0430 - 8f a4 3e f9 40 ee 1e 2f-74 c3 1a d8 de 96 92 fc ..>.@../t.......
0440 - 8f 99 db f4 85 43 62 8e-60 69 14 ad af 6b 07 c3 .....Cb.`i...k..
0450 - 85 74 ad 93 e4 e0 88 f7-8e 7a 50 ea 19 60 cb a3 .t.......zP..`..
0460 - 62 2b cc 6a 25 48 de 85-ec d6 44 fd 2e ef 3c f7 b+.j%H....D...<.
Start Time: 1579802314
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
30: C_Finalize
2020-01-23 14:58:36.501
Returned: 0 CKR_OK
[-- Attachment #3: openssl_tls_pkcs11_ubuntu18.04.txt --]
[-- Type: text/plain, Size: 16338 bytes --]
PKCS11SPY=/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so openssl s_client -engine pkcs11 -keyform engine -key "$PKCS11_KEY" -CAfile "ca.pem" -cert client_tpm.pem -connect 192.168.160.42:4433
engine "pkcs11" set.
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so"
0: C_GetFunctionList
2020-01-23 17:35:08.998
Returned: 0 CKR_OK
1: C_Initialize
2020-01-23 17:35:08.998
[in] pInitArgs = 0x7ffc50133960
flags: 2
CKF_OS_LOCKING_OK
Returned: 0 CKR_OK
2: C_GetInfo
2020-01-23 17:35:09.000
[out] pInfo:
cryptokiVersion: 2.40
manufacturerID: 'tpm2-software.github.io '
flags: 0
libraryDescription: 'TPM2.0 Cryptoki '
libraryVersion: 1.0
Returned: 0 CKR_OK
3: C_GetSlotList
2020-01-23 17:35:09.000
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
4: C_GetSlotList
2020-01-23 17:35:09.000
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
5: C_GetSlotInfo
2020-01-23 17:35:09.000
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'label '
'Intel '
manufacturerID: 'Intel '
hardwareVersion: 1.16
firmwareVersion: 45.9
flags: 5
CKF_TOKEN_PRESENT
CKF_HW_SLOT
Returned: 0 CKR_OK
6: C_GetTokenInfo
2020-01-23 17:35:09.017
[in] slotID = 0x1
[out] pInfo:
label: 'label '
manufacturerID: 'Intel '
model: 'Intel '
serialNumber: '0000000000000000'
ulMaxSessionCount: 1024
ulSessionCount: 0
ulMaxRwSessionCount: 1024
ulRwSessionCount: 0
ulMaxPinLen: 128
ulMinPinLen: 0
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 1.16
firmwareVersion: 45.9
time: '2020012317350900'
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
7: C_OpenSession
2020-01-23 17:35:09.017
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x100000000000000
Returned: 0 CKR_OK
8: C_FindObjectsInit
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
9: C_FindObjects
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
10: C_FindObjectsFinal
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
11: C_FindObjectsInit
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
12: C_FindObjects
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
13: C_FindObjectsFinal
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
14: C_FindObjectsInit
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
15: C_FindObjects
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
16: C_FindObjectsFinal
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
17: C_GetSessionInfo
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[out] pInfo:
slotID: 1
state: ' CKS_RO_PUBLIC_SESSION'
flags: 4
CKF_SERIAL_SESSION
ulDeviceError: 0
Returned: 0 CKR_OK
18: C_Login
2020-01-23 17:35:09.018
[in] hSession = 0x100000000000000
[in] userType = CKU_USER
[in] pPin[ulPinLen] 000055e1007b59c0 / 9
00000000 6D 79 75 73 65 72 70 69 6E myuserpin
Returned: 0 CKR_OK
19: C_FindObjectsInit
2020-01-23 17:35:09.394
[in] hSession = 0x100000000000000
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
20: C_FindObjects
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x1 matches
Returned: 0 CKR_OK
21: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_KEY_TYPE 00007ffc50133938 / 8
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK
22: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_LABEL 0000000000000000 / 0
[out] pTemplate[1]:
CKA_LABEL 0000000000000000 / 0
Returned: 0 CKR_OK
23: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_LABEL 000055e1007e8410 / 0
[out] pTemplate[1]:
CKA_LABEL 000055e1007e8410 / 0
Returned: 0 CKR_OK
24: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ID 0000000000000000 / 0
[out] pTemplate[1]:
CKA_ID 0000000000000000 / 16
Returned: 0 CKR_OK
25: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ID 000055e1007e94f0 / 16
[out] pTemplate[1]:
CKA_ID 000055e1007e94f0 / 16
00000000 33 30 31 64 62 61 36 65 62 33 65 35 34 35 38 37 301dba6eb3e54587
Returned: 0 CKR_OK
26: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ID 000055e1007c7751 / 255
[out] pTemplate[1]:
CKA_ID 000055e1007c7751 / 16
00000000 33 30 31 64 62 61 36 65 62 33 65 35 34 35 38 37 301dba6eb3e54587
Returned: 0 CKR_OK
27: C_FindObjects
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
28: C_FindObjectsFinal
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
Returned: 0 CKR_OK
29: C_GetAttributeValue
2020-01-23 17:35:09.395
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 0
[out] pTemplate[1]:
CKA_MODULUS 0000000000000000 / 256
Returned: 0 CKR_OK
30: C_GetAttributeValue
2020-01-23 17:35:09.396
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_MODULUS 000055e1007e8a40 / 256
[out] pTemplate[1]:
CKA_MODULUS 000055e1007e8a40 / 256
00000000 A6 D6 06 1B 19 AC 28 28 23 FD 98 39 98 60 65 81 ......((#..9.`e.
00000010 E2 42 FE 32 4F E2 F9 08 20 2E DC 57 B0 90 42 3A .B.2O... ..W..B:
00000020 8B 23 81 AD 5B C1 2B A1 D7 87 E8 D3 BF A3 32 92 .#..[.+.......2.
00000030 80 7C 8C D0 F4 BA F2 D3 99 62 DA 9E D9 6B 5E 09 .|.......b...k^.
00000040 67 44 D9 C1 53 17 7B F7 1B 7D 31 95 B6 F9 95 ED gD..S.{..}1.....
00000050 E9 D7 83 9D 3B 2E 78 61 0E 91 58 B5 CE F7 AD 84 ....;.xa..X.....
00000060 6A A9 91 15 32 8E 88 1A 63 C3 01 A9 E5 67 6F B8 j...2...c....go.
00000070 16 30 00 F5 08 97 87 7D 37 57 F3 20 B7 CC 6F 46 .0.....}7W. ..oF
00000080 74 AE 32 80 86 29 9C B3 A3 EA 4A C4 1E 4A 84 03 t.2..)....J..J..
00000090 1C 14 28 72 24 7D 36 E9 EC 9F 64 22 FD 9D 61 4B ..(r$}6...d"..aK
000000A0 12 85 D7 0F EE F4 6F F7 6C 01 0D 07 C3 57 9E B0 ......o.l....W..
000000B0 1B 0C EE 9F DF 40 0F 36 46 CC 62 F6 AB 61 96 36 .....@.6F.b..a.6
000000C0 31 A4 06 A3 72 55 CA 7E AE A2 EF 54 49 6B D5 D4 1...rU.~...TIk..
000000D0 0C BB 8E AE E4 41 5E F8 C9 4A D0 77 3C 47 C9 C5 .....A^..J.w<G..
000000E0 51 0F A5 5C 2D C4 B9 50 DF 42 4F E8 5B 5A B1 76 Q..\-..P.BO.[Z.v
000000F0 67 B5 F7 35 34 07 32 C3 26 96 9D 1C C7 1F 36 5D g..54.2.&.....6]
Returned: 0 CKR_OK
31: C_GetAttributeValue
2020-01-23 17:35:09.396
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000000000000 / 0
[out] pTemplate[1]:
CKA_PUBLIC_EXPONENT 0000000000000000 / 3
Returned: 0 CKR_OK
32: C_GetAttributeValue
2020-01-23 17:35:09.396
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_PUBLIC_EXPONENT 000055e1007e8430 / 3
[out] pTemplate[1]:
CKA_PUBLIC_EXPONENT 000055e1007e8430 / 3
00000000 01 00 01 ...
Returned: 0 CKR_OK
33: C_GetAttributeValue
2020-01-23 17:35:09.396
[in] hSession = 0x100000000000000
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_ALWAYS_AUTHENTICATE 000055e1007c7750 / 1
[out] pTemplate[1]:
CKA_ALWAYS_AUTHENTICATE False
Returned: 0 CKR_OK
CONNECTED(00000007)
depth=1 C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
verify return:1
depth=0 C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
verify return:1
34: C_SignInit
2020-01-23 17:35:09.410
[in] hSession = 0x100000000000000
pMechanism->type=CKM_RSA_X_509
[in] hKey = 0x1
Returned: 104 CKR_KEY_FUNCTION_NOT_PERMITTED
35: C_EncryptInit
2020-01-23 17:35:09.484
[in] hSession = 0x100000000000000
pMechanism->type=CKM_RSA_X_509
[in] hKey = 0x1
Returned: 0 CKR_OK
36: C_Encrypt
2020-01-23 17:35:09.484
[in] hSession = 0x100000000000000
[in] pData[ulDataLen] 000055e10080d2f0 / 256
00000000 24 45 AB D3 5E 28 FF 5D C3 17 6F F2 1A 1B 82 8E $E..^(.]..o.....
00000010 00 B0 CE FF 75 24 DE 54 E4 21 07 83 2A 00 28 EC ....u$.T.!..*.(.
00000020 80 D0 0C E5 35 35 27 CA D9 0A F3 A8 9A 9E CB 27 ....55'........'
00000030 41 73 4C 98 15 41 AB 53 23 10 96 B1 9B 55 2F 37 AsL..A.S#....U/7
00000040 D2 35 3D 37 77 8C C5 9F CF 2E 3E 33 E5 76 97 EA .5=7w.....>3.v..
00000050 BC B6 1A 01 F2 F6 69 66 EA 84 61 D2 33 47 15 EF ......if..a.3G..
00000060 23 5C 92 33 9D 39 D4 DD B7 26 A9 BD 87 85 F7 40 #\.3.9...&.....@
00000070 64 08 EE D6 9C 6A CC 73 50 7F DB E6 90 83 6D 68 d....j.sP....mh
00000080 96 B1 00 4E 69 E5 3F 48 BC AD B5 1A 6F 49 EE 9D ...Ni.?H....oI..
00000090 B0 E3 91 B2 F4 0E A4 65 17 57 58 31 05 1B 52 E8 .......e.WX1..R.
000000A0 F7 16 63 2B 97 8C 9B 1F B5 3E FB 2B 87 60 81 EF ..c+.....>.+.`..
000000B0 9F F1 69 CC 1D B4 DB 09 D2 7B 9D 59 F2 A6 99 B9 ..i......{.Y....
000000C0 02 C3 DF AA A7 AD B1 C9 1C D0 8D 45 56 A2 18 74 ...........EV..t
000000D0 46 64 17 65 B0 3A AF 05 94 0F 16 B0 D8 01 35 0C Fd.e.:........5.
000000E0 49 62 F4 67 A6 4F E3 B1 A8 BC 4F 5C F3 A0 75 15 Ib.g.O....O\..u.
000000F0 7B 62 98 AD A8 AA C5 41 66 60 92 1E 93 9C BC BC {b.....Af`......
[out] pEncryptedData[*pulEncryptedDataLen] 000055e10080d190 / 256
00000000 25 DB 91 ED 37 07 D6 EC 14 6E C1 38 0C 0B 12 1D %...7....n.8....
00000010 12 22 9A A5 5B 21 43 EA 34 CE AC A8 01 C1 84 74 ."..[!C.4......t
00000020 51 91 85 9E BF 63 63 D6 E1 4B C8 FB 4D 63 68 BB Q....cc..K..Mch.
00000030 DF 73 51 61 A1 EB 31 CB FB D4 8D C4 D7 68 1F BB .sQa..1......h..
00000040 5E 04 50 50 FE 57 AB 10 0F 6E 0B 91 CE 9E A1 2A ^.PP.W...n.....*
00000050 D8 15 A8 13 DC 54 86 A3 7E 90 CF 96 58 04 4B 3E .....T..~...X.K>
00000060 6C 91 E2 50 5D 48 B7 3E 14 24 C0 8F 56 5A 60 08 l..P]H.>.$..VZ`.
00000070 E1 86 4E 8C 34 50 BD 58 39 CE 09 DB 06 26 55 CF ..N.4P.X9....&U.
00000080 02 32 46 2A D8 B3 A0 F9 C2 E6 2A 8B 40 9F AC DC .2F*......*.@...
00000090 1E 66 81 73 4C BD 6D 90 59 7D EB 6F DE 3E 6D 43 .f.sL.m.Y}.o.>mC
000000A0 E7 8C 19 59 82 34 6C 1D 0E C1 8B 78 3F 52 93 98 ...Y.4l....x?R..
000000B0 00 CE D0 2E EE 80 40 F7 F4 23 CE E0 A0 47 9E BD ......@..#...G..
000000C0 0B D4 D9 77 9C 07 3B 99 29 10 B9 98 5D 26 0F 2C ...w..;.)...]&.,
000000D0 95 EA F3 92 36 A1 AB 4F 97 54 02 3E DE 4C 9C 58 ....6..O.T.>.L.X
000000E0 50 81 2B D9 07 60 D8 69 5C A8 05 55 A7 D3 AF 3C P.+..`.i\..U...<
000000F0 69 5D 18 2F 0B 0D 76 24 86 55 FC 45 59 1D B2 12 i]./..v$.U.EY...
Returned: 0 CKR_OK
---
Certificate chain
0 s:C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
i:C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
1 s:C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
i:C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDAxMTUy
MTI5NDFaFw0yMDAzMTUyMTI5NDFaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoSmxkYfh/XPMxcN
WFCJMk/GqIxAKdWKOYMefG/r0+s+uHwAcvSxHnz+duVosCckdAaNfnM5IjYLjIdi
JwoBrtFT5PDFWd0ykytzo2kIqKeredX8GuEfRs/xPkDFhDGx4xXsLOrYjLgNrzuJ
d5bP/SNUF6OJzRqilfQ4oSQrzX3VFCODTj5uy9BNHqT7poy4zrF7YfLzcZJEE/Xc
qLEsgaUB9K6/um9XouC/+Hs/3XUPe1st1U9HAvEpzOifOzW+4q8qvrJNOOtakXJb
DhSkpNgR9KnY2ZRvwrURTUF9POFjApbgqGw6yP7SQsrgFRWunzUkY5mMyxdmqTdh
1YOkTwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
SIb3DQEBCwUAA4IBAQAXXXA4MZb+heCjmN/cwZFm9eoFGfWnmIsG2ZglukJX1Kbw
XYQAhQXRGaYq3xsbTL7rFo7Rb3D6Z7yncCKSOb/+BrMgM15jEP5qThrBX9zKMNem
mTU3qjVp/JE1FCZWDKHngInVxzbxp1T5xJcMHziTNKavwr0ArVabA9pvp7q/lGU2
1r5kr+cHJc4y0Whq4MeXKg0ukrEZ4rBVYti9BkLetspyl6vvllocCeNFgesOwZta
Ahfh0O1VaHAGP5668R7FKlA1FIjFoZ6c707EoLkf8M8M9E+0ZJP2Kxj9a1AC8vOS
ZWCbqIHQU2YVkyYGy8Uxi7V3TfuL4txEQ7xZoZHH
-----END CERTIFICATE-----
subject=C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
issuer=C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
---
Acceptable client certificate CA names
C = FR, ST = Radius, L = Somewhere, O = Example Inc., emailAddress = admin@example.org, CN = Example Certificate Authority
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3058 bytes and written 2969 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
140227221696960:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:../ssl/record/rec_layer_s3.c:1528:SSL alert number 51
37: C_CloseAllSessions
2020-01-23 17:35:09.574
[in] slotID = 0x1
Returned: 0 CKR_OK
next reply other threads:[~2020-01-23 19:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-23 19:16 Jaureguiberry, IgnacioX [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-04-07 20:59 [tpm2] Re: OpenSSL TLS using tpm2-pkcs11 doesn't work on newer versions David Woodhouse
2020-04-07 20:40 nicolasoliver03
2020-01-25 1:51 Roberts, William C
2020-01-25 1:15 Roberts, William C
2020-01-24 21:11 David Woodhouse
2020-01-24 17:10 Emmanuel Deloget
2020-01-24 15:52 nicolasoliver03
2020-01-24 8:53 Steffen Schwebel
2020-01-23 20:30 Jaureguiberry, IgnacioX
2020-01-23 19:35 nicolasoliver03
2020-01-23 19:32 Roberts, William C
2020-01-23 14:43 Roberts, William C
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc792ae09d144aa2943754e0f238afea@intel.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.