[gnutls-devel] GnuTLS | certtool creating authentication failures with TPM 1.2 when TPM SRK uses a password (#601)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Nov 1 21:32:56 CET 2018

New Issue was created.

Issue 601: https://gitlab.com/gnutls/gnutls/issues/601
Author:    Stefan Berger

tpmtool currently requires that a user has a TPM 1.2 SRK password set since it doesn't support the 'well known' SRK password of 20 zero bytes. So if one sets the TPM 1.2 SRK password to a 'string' password, certtool will cause unnecessary authentication failures when trying to talk to the TPM via the tcsd since it will be using the well know SRK password of 20 zero bytes first (certtool seems to support this). The problem with the TPM 1.2 is that it locks down after too many authentication failures and the owner has to send a command to reset it. While we cannot prevent the lock-down entirely (user can always pass a wrong password), we could at least try to minimize the number of failures. So at the moment certtool seems to first try the 'well known' password (which causes an authentication failure) and then prompt the user for the SRK password. 

Suggestion for forcing certtool to use the SRK password given by user:

  GNUTLS_SRK_PASSWORD=foo certtool ...   # use foo as SRK password on first try

For reference, I posted a patch to the TPM 1.2 Trousers mailing list here that describes the issue and fixes a similar issue in tcsd client: https://sourceforge.net/p/trousers/mailman/message/36444514/

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/601
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181101/b3da7a61/attachment.html>

More information about the Gnutls-devel mailing list