Mailing List Archive

pinentry fails for tpm protected key
When I have "Save in password manager" selected, pinentry fails to work at all for my tpm protected private key. The error I get is: The value for attribute 'keygrip' was not a valid UTF-8 string.

If I do not have "Save in password manager" selected, it works fine.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
pinentry fails for tpm protected key [ In reply to ]
When I have "Save in password manager" selected, pinentry fails to work at all for my tpm protected private key. The error I get is: The value for attribute 'keygrip' was not a valid UTF-8 string.

If I do not have "Save in password manager" selected, it works fine.
Re: pinentry fails for tpm protected key [ In reply to ]
On Fri, 2021-12-24 at 13:17 -0700, Joshua Rubin via Gnupg-devel wrote:
> When I have "Save in password manager" selected, pinentry fails to
> work at all for my tpm protected private key. The error I get is: The
> value for attribute 'keygrip' was not a valid UTF-8 string.
>
> If I do not have "Save in password manager" selected, it works fine.

I think you're going to have to be a lot more specific. I use gpg-
agent with pinentry and tpm keys and it works fine for me on openSUSE
and gpg-2.3.4.

James



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
> I think you're going to have to be a lot more specific. I use gpg-
> agent with pinentry and tpm keys and it works fine for me on openSUSE
> and gpg-2.3.4.

I'm using gpg-2.3.4 and pinentry 1.2.0. I _only_ have this issue when I select that I want to save the passphrase in the keyring, it works otherwise (which I think is what it sounds like you are doing). Happy to provide any other useful details, just not sure what you might need.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
On Mon, 2021-12-27 at 14:46 -0700, Joshua Rubin via Gnupg-devel wrote:
> > I think you're going to have to be a lot more specific. I use gpg-
> > agent with pinentry and tpm keys and it works fine for me on
> > openSUSE
> > and gpg-2.3.4.
>
> I'm using gpg-2.3.4 and pinentry 1.2.0. I _only_ have this issue when
> I select that I want to save the passphrase in the keyring, it works
> otherwise (which I think is what it sounds like you are doing). Happy
> to provide any other useful details, just not sure what you might
> need.

Based on this, my best guess is that whatever is on the other end of
libsecret doesn't like binary key grips. There's no harm in converting
them all to ASCII, does this fix your problem?

James

---

From 7af7213246a7cf085cdf42d1f79abf0d6333ed30 Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Wed, 29 Dec 2021 11:58:16 -0500
Subject: [PATCH] agent: always use hexgrip when storing key password

The current code uses the binary ctrl->keygrip, but all the passphrase
storage engines expect this to be a string, so convert the binary
keygrip to a hex one before passing it in as the keyid. This fixes a
crash seen in some libsecret implementations where a non-ascii keyid
isn't well handled.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
agent/call-tpm2d.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/agent/call-tpm2d.c b/agent/call-tpm2d.c
index 6fae5d85a..1048c7d63 100644
--- a/agent/call-tpm2d.c
+++ b/agent/call-tpm2d.c
@@ -141,14 +141,17 @@ agent_tpm2d_writekey (ctrl_t ctrl, unsigned char **shadow_info,
static gpg_error_t
pin_cb (ctrl_t ctrl, const char *prompt, char **passphrase)
{
- *passphrase = agent_get_cache (ctrl, ctrl->keygrip, CACHE_MODE_USER);
+ char hexgrip[2*KEYGRIP_LEN + 1];
+
+ bin2hex (ctrl->keygrip, KEYGRIP_LEN, hexgrip);
+ *passphrase = agent_get_cache (ctrl, hexgrip, CACHE_MODE_USER);
if (*passphrase)
return 0;
return agent_get_passphrase(ctrl, passphrase,
_("Please enter your passphrase, so that the "
"secret key can be unlocked for this session"),
prompt, NULL, 0,
- ctrl->keygrip, CACHE_MODE_USER, NULL);
+ hexgrip, CACHE_MODE_USER, NULL);
}

int
@@ -160,6 +163,7 @@ agent_tpm2d_pksign (ctrl_t ctrl, const unsigned char *digest,
char line[ASSUAN_LINELENGTH];
membuf_t data;
struct inq_parm_s inqparm;
+ char hexgrip[2*KEYGRIP_LEN + 1];

rc = start_tpm2d (ctrl);
if (rc)
@@ -183,7 +187,10 @@ agent_tpm2d_pksign (ctrl_t ctrl, const unsigned char *digest,
inq_extra, &inqparm,
NULL, NULL);
if (!rc)
- agent_put_cache (ctrl, ctrl->keygrip, CACHE_MODE_USER, inqparm.pin, 0);
+ {
+ bin2hex (ctrl->keygrip, KEYGRIP_LEN, hexgrip);
+ agent_put_cache (ctrl, hexgrip, CACHE_MODE_USER, inqparm.pin, 0);
+ }

xfree (inqparm.pin);

@@ -208,6 +215,7 @@ agent_tpm2d_pkdecrypt (ctrl_t ctrl, const unsigned char *cipher,
char line[ASSUAN_LINELENGTH];
membuf_t data;
struct inq_parm_s inqparm;
+ char hexgrip[2*KEYGRIP_LEN + 1];

rc = start_tpm2d (ctrl);
if (rc)
@@ -231,7 +239,10 @@ agent_tpm2d_pkdecrypt (ctrl_t ctrl, const unsigned char *cipher,
inq_extra, &inqparm,
NULL, NULL);
if (!rc)
- agent_put_cache (ctrl, ctrl->keygrip, CACHE_MODE_USER, inqparm.pin, 0);
+ {
+ bin2hex (ctrl->keygrip, KEYGRIP_LEN, hexgrip);
+ agent_put_cache (ctrl, hexgrip, CACHE_MODE_USER, inqparm.pin, 0);
+ }

xfree (inqparm.pin);

--
2.26.2



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
> Based on this, my best guess is that whatever is on the other end of
> libsecret doesn't like binary key grips. There's no harm in converting
> them all to ASCII, does this fix your problem?

That seems to get things set in the 3rd party password cache now. However, I'm now receiving this error:

Dec 29 22:49:53 balerion gpg-agent[3755873]: WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
Dec 29 22:49:53 balerion gpg-agent[3755873]: ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5)
Dec 29 22:49:53 balerion gpg-agent[3755873]: TPM2_Sign failed with 469
Dec 29 22:49:53 balerion gpg-agent[3755873]: tpm:parameter(1):structure is the wrong size
Dec 29 22:49:53 balerion gpg-agent[3755447]: smartcard signing failed: Card error
Dec 29 22:49:53 balerion gpg-agent[3755447]: command 'PKSIGN' failed: Card error

And the gpg command itself says (for a sign only op):

gpg: signing failed: Card error
-----BEGIN PGP MESSAGE-----

gpg: signing failed: Card error

And for sign+encrypt (it does output some data on stdout):
gpg: [stdin]: sign+encrypt failed: Card error

Note that encrypt and decrypt operations work fine, it's only the signing key that has the issue (I have 3 separate subkeys, one of each type).

I was able to run `keytotpm` on newly generated keys with the same result. Reverting back to the unpatched gpg did not fix things though. Not sure if this is the same problem.

Thanks

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
On Thu, 2021-12-30 at 00:03 -0700, Joshua Rubin via Gnupg-devel wrote:
> > Based on this, my best guess is that whatever is on the other end
> > of libsecret doesn't like binary key grips. There's no harm in
> > converting them all to ASCII, does this fix your problem?
>
> That seems to get things set in the 3rd party password cache now.
> However, I'm now receiving this error:
>
> Dec 29 22:49:53 balerion gpg-agent[3755873]: WARNING:esys:src/tss2-
> esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
> Dec 29 22:49:53 balerion gpg-agent[3755873]: ERROR:esys:src/tss2-
> esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode
> (0x000001d5)
> Dec 29 22:49:53 balerion gpg-agent[3755873]: TPM2_Sign failed with
> 469

I'm afraid I'm not very familiar with the Intel TSS, since my gpg code
always uses the IBM TSS, which gives very verbose error messages, but
this looks like a TPM error.

> Dec 29 22:49:53 balerion gpg-agent[3755873]:
> tpm:parameter(1):structure is the wrong size

right, TPM_RC_SIZE, which means the digest is the wrong size or the TPM
doesn't understand the digest algorithm ... what digest are you using?

James



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
> right, TPM_RC_SIZE, which means the digest is the wrong size or the TPM
> doesn't understand the digest algorithm ... what digest are you using?

Oh, I was messing with that the other day... thanks for the reminder. I pretty much gave up in frustration with that effort. Is there any way I can check to see what digest is actually being used by a key?

My config has these lines, so I'm certain it's SHA512, but finding a way to actually see this info would be immensely useful.

personal-digest-preferences SHA512
digest-algo SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed

Any error that suggests that this is the issue would be much more helpful then what I found.

Also, is there any way to find out what algos the tpm supports?

Thanks again, I know this thread is now very off topic.

Joshua

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
On Thu, 2021-12-30 at 11:16 -0700, Joshua Rubin via Gnupg-devel wrote:
> > right, TPM_RC_SIZE, which means the digest is the wrong size or the
> > TPM doesn't understand the digest algorithm ... what digest are you
> > using?
>
> Oh, I was messing with that the other day... thanks for the reminder.
> I pretty much gave up in frustration with that effort. Is there any
> way I can check to see what digest is actually being used by a key?

Not short of adding a print of digestlen in the code.

>
> My config has these lines, so I'm certain it's SHA512, but finding a
> way to actually see this info would be immensely useful.
>
> personal-digest-preferences SHA512

Pretty much no laptop TPM will support this, so I'd cut that down to
SHA256 which is guaranteed to be supported by every TPM.

> digest-algo SHA512
> cert-digest-algo SHA512
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 BZIP2 ZLIB ZIP Uncompressed
>
> Any error that suggests that this is the issue would be much more
> helpful then what I found.
>
> Also, is there any way to find out what algos the tpm supports?

it's listed in the algorithm capabilities. With the IBM TSS, that's

tssgetcapability -cap 0|grep ALG_SHA

James



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: pinentry fails for tpm protected key [ In reply to ]
>> Also, is there any way to find out what algos the tpm supports?
>
> it's listed in the algorithm capabilities. With the IBM TSS, that's
>
> tssgetcapability -cap 0|grep ALG_SHA

I was able to figure this out with:
tpm2_getcap algorithms
tpm2_getcap ecc-curves

Thanks for all your help!

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel