SSL connection failure: PKCS #11 error
traxtopel at gmail.com
traxtopel at gmail.com
Fri Mar 8 02:54:02 PST 2024
I changed the patch to just set. Still fails.
inScheme.details.ecdsa.hashAlg = TPM2_ALG_SHA256;
digest.size = 32;
if I attempt the gnutls-cli command, I see the following.
gnutls-cli --x509certfile=cert.pem --
x509keyfile="pkcs11:model=%01%01%04%00%02%01%02%00%00%00%00%00%00%00%00
%00;manufacturer=STMicro;serial=0000000000000000;token=TL_ECC256;id=%55
%34%65%38%63%66%65%35%64%61%33%66%30%62%33%33;object=KL_ECC256;type=pri
vate;pin-value=userpin" vpn.com
- Status: The certificate is trusted.
- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-
GCM)
- Session ID:
C0:25:19:E9:9F:96:EC:96:9D:4B:EE:43:43:90:3C:89:2B:C6:0D:39:64:A9:BA:DE
:7A:D5:ED:C2:8A:5C:44:DB
- No certificate was sent to peer
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
(this output is similar to what I see with the working rsa4096 cert)
When I try to connect with openconnect, I receive the following error:
ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
SSL connection failure: PKCS #11 error.
Similarly, if post running the openconnect command attempt the gnutls-
cli command mentioned above again, it also fails with the same error:
ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
*** Fatal error: PKCS #11 error.
However, if I wait a few minutes or connect using my legacy rsa4096
certificate, I can then run the gnutls-cli command multiple times
without encountering the PKCS #11 error.
On Thu, 2024-03-07 at 22:53 +0000, David Woodhouse wrote:
> On 7 March 2024 19:03:33 GMT, traxtopel at gmail.com wrote:
> > David,
> > tried to patch it no luck
> > i.e.
> > diff -ur openconnect-9.12.orig/gnutls_tpm2_esys.c openconnect-
> > 9.12/gnutls_tpm2_esys.c
> > --- openconnect-9.12.orig/gnutls_tpm2_esys.c 2022-04-28
> > 17:58:05.000000000 +0200
> > +++ openconnect-9.12/gnutls_tpm2_esys.c 2024-03-07
> > 16:03:54.521631835
> > +0100
> > @@ -498,12 +498,11 @@
> > case SHA1_SIZE: inScheme.details.ecdsa.hashAlg =
> > TPM2_ALG_SHA1; break;
> > case SHA256_SIZE: inScheme.details.ecdsa.hashAlg =
> > TPM2_ALG_SHA256; break;
> > case SHA384_SIZE: inScheme.details.ecdsa.hashAlg =
> > TPM2_ALG_SHA384; break;
> > - case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
> > TPM2_ALG_SHA512; break;
> > + case SHA512_SIZE: inScheme.details.ecdsa.hashAlg =
> > TPM2_ALG_SHA512; digest.size = 32 ; break;
> > default:
> > - vpn_progress(vpninfo, PRG_ERR,
> > - _("Unknown TPM2 EC digest size %d for
> > algo 0x%x\n"),
> > - data->size, algo);
> > - return GNUTLS_E_PK_SIGN_FAILED;
> > + inScheme.details.ecdsa.hashAlg = TPM2_ALG_SHA512;
>
> That wants to be SHA256 too.
>
> > + digest.size = 32;
> > + break;
> > }
> >
> > memcpy(digest.buffer, data->data, data->size);
> >
> > I am on Fedora 39 using gnutls-3.8.3-1.fc39.x86_64
>
> Ah, by v3.8 GnuTLS actually includes my TPMv2 code natively. Can you
> test with gnutls-cli connecting to the same server with the same key?
>
More information about the openconnect-devel
mailing list