我对这些技术相对陌生,我对如何处理当前面临的错误消息感到有点迷失。
为了正确起见,我有一个运行 Linux 5.10 的嵌入式系统,我尝试在该系统上与 TPM2.0 芯片(Infineon SLB9670)进行通信。我可以使用每个 tpm2 高级库,并且它运行得很好(tpm2-tss、tpm2-abrmd、tmp2-tools、tpm2-openssl、tpm2-pkcs11)。
问题是,我现在尝试使用 OpenSSL 3.2.2 使用我在 TPM2.0 上的 PKCS11 实现的插槽 1 上生成的 rsa 密钥来签署文件。
这是我生成密钥的插槽:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so -L
Available slots:
Slot 0 (0x1): test token
token label : test token
token manufacturer : Infineon
token model : SLM9670
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.38
firmware version : 13.11
serial num : 0000000000000000
pin min/max : 0/128
Slot 1 (0x2):
token state: uninitialized
还有钥匙本身:
# pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so --slot=1 --login --pin=testuserpin --list-objects
Public Key Object; RSA 2048 bits
label: rsakey
Usage: encrypt, verify
Access: local
Private Key Object; RSA
label: rsakey
Usage: decrypt, sign
Access: sensitive, always sensitive, never extractable, local
Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA1-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
现在,我尝试使用以下命令使用 OpenSSL 和来自 TPM 上 PKCS11 实现的私钥来签署证书:
# OPENSSL_CONF=$HOME/tpm2-pkcs11.openssl.conf openssl pkeyutl -provider tpm2 -sign -inkey 'pkcs11:slot-id=1;type=private;object=rsakey' -in data.txt -out data.sig
tpm2-pkcs11.openssl.conf 如下所示:
openssl_conf = openssl_init
[openssl_init]
providers = provider_section
[provider_section]
pkcs11 = pkcs11_section
[pkcs11_section]
module = /usr/lib/libtpm2_pkcs11.so
[ req ]
distinguished_name = req_dn
string_mask = utf8only
utf8 = yes
[ req_dn ]
commonName = Sample Config
当我输入命令时,说openssl找不到任何私钥可以使用:
Could not open file or uri for loading private key from pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin
0023F1B6:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:263:calling stat(pkcs11:token=test token;slot-id=1;type=private;object=rsakey;pin-value=testuserpin)
0023F1B6:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:360:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
pkeyutl: Error initializing context
好吧,你已经拥有了一切......希望有人能在这件事上启发我^^
参见
man provider-pkcs11 openssl.cnf:
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
module = /usr/lib64/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib64/pkcs11/vendor_pkcs11.so
pkcs11-module-token-pin = /etc/ssl/pinfile.txt
activate = 1
正如您在
module您可以在这里找到 pkcs11-provider 项目:https://github.com/latchset/pkcs11-provider。您可以使用
sudo yum install pkcs11-provider您必须提供 libtpm2_pkcs11.so 的路径,而不是在
modulepkcs11-module-path