Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tpm2_ptool changepin doesn't change the pin #3438

Open
gtellalov opened this issue Dec 6, 2024 · 4 comments
Open

tpm2_ptool changepin doesn't change the pin #3438

gtellalov opened this issue Dec 6, 2024 · 4 comments

Comments

@gtellalov
Copy link

I'm using tpm2-tools 5.7 and tpm2_ptool changepin --label ssh --old oldpin --new newipn. The commands executes successfully and exits with code 0, but the pin remains unchanged.

@JuergenReppSIT
Copy link
Member

tpm2_ptool changepin --label ssh --old oldpin --new newpin worked for me with tpm2-tools 5.7 and tpm2-pkcs11 1.9.1.
After changing the pin I got the following error for ssh login when oldpin was entered (it worked with newpin):

Enter PIN for 'ssh': 
WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:298:Esys_Unseal_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000098e) 
ERROR: Esys_Unseal: tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Error unsealing wrapping key
C_Login failed: 160
login failed
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for ECDSA "": error in libcrypto

@gtellalov
Copy link
Author

Is there a way I can trace/debug the execution of the command? It's doing nothing on my laptop, but it changed the pin successfully on my desktop, so it seems to be hardware related.

@JuergenReppSIT
Copy link
Member

with tpm2_ptool listobjects --label ssh you can list the key objects and determine the pubid of your public key.
with (adapt the so path, use your newpin):
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so --login --read-object --type pubkey --id <pubid> -p <newpin> > pub.der
you dump the public key (here an ec key) in der format.
You can display the public key with; openssl ec -pubin -inform DER -in pub.der -text
Now you can convert the pub key generated with openssl-keygen and stored in the authorized keys file to pem format and display the key:
ssh-keygen -e -m PEM -f sshkey.pub > sshpub.pem
openssl ec -pubin -inform PEM -in sshpub.pem -text
The two public keys should be equal. If not the key for which you changed the pin is not used for the ssh login.

@gtellalov
Copy link
Author

It looks like my database is corrupted. the pkcs11-tool command exits with:

error: PKCS11 function C_Login failed: rv = CKR_OPERATION_NOT_INITIALIZED (0x91)
Aborting.

It works on a fresh database. Is there any way I can trace this error? Here is an strace log: http://0x0.st/8zsE.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants