SSL connection failure: PKCS #11 error
David Woodhouse
dwmw2 at infradead.org
Thu Mar 7 06:36:35 PST 2024
On Wed, 2024-03-06 at 12:44 +0100, Grant Williamson wrote:
> I am attempting to transition our existing environment of signed
> Digicert certificates from RSA-4096 to ECC256. The digicert one
> signing process appears to work.
> When using a software-emulated TPM, the connection is succesful.
>
> When I try hardware tpm(3 laptops) I encounter the folowing problem
> ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
> SSL connection failure: PKCS #11 error.
>
> I have tried generating the csr to be signed using both tpm2-openssl
> and pkcs11-provider, same result.
>
> Maybe the following gives a clue. Any ideas?
> (openconnect with --gnutls-debug=99 -v)
>
> https://pastebin.com/d2gT4t6q
I think that's a GnuTLS bug. What version of GnuTLS is it?
If you're using a Prime256 key, then the SHA512 hash ought to be
truncated to 32 bytes, and then we'd tell the TPM that it's actually a
SHA256. See
http://git.infradead.org/?p=users/dwmw2/openconnect.git;a=blob;f=gnutls_tpm2_esys.c;hb=HEAD#l487
As a nasty hack, since you know you have a 256-bit EC key (although I
didn't personally validate that assertion in your logs), can you try
hard-coding it to use TPM2_ALG_SHA256 and set digest.size=32 in
tpm2_ec_sign_hash_fn() ?
Do this in either gnutls_tpm2_esys.c or gnutls_tpm2_ibm.c; whichever is
being used on your system. Probably the former.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20240307/ebb2f95f/attachment.p7s>
More information about the openconnect-devel
mailing list