Bug#945295: Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so
On Fri, Nov 22, 2019 at 06:08:01PM +0100, Didier 'OdyX' Raboud wrote:
> For some time now, ssh (openssh-client) unnecessarily warns for:
>
> > invalid attribute length
> > failed to fetch key
>
> when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider.
>
> Relevant lines from a verbose connection:
>
> $ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com
> …
> debug1: Connecting to (…)
> debug1: Connection established.
> debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
> debug1: provider libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x400
> debug1: have 1 keys
> invalid attribute length
> failed to fetch key
> …
> debug1: Will attempt key: libsimple-tpm-pk11.so RSA SHA256:(xxx-hash-of-my-tpm-key-xxx) token
> …
>
> This was initially reported at https://github.com/ThomasHabets/simple-tpm-pk11/issues/48,
> and brought to Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832,
> which fixed it.
I haven't looked very far into this yet, but as far as I can tell that
Fedora bug is *not* the same thing. Fedora carries a patch set that
asks for the CKA_LABEL attribute, and that bug was because it was
(apparently incorrectly) requiring that attribute to have non-zero
length.
However, Debian does not carry that patch. If you're seeing these
errors in the RSA case, it's because at least one of CKA_MODULES or
CKA_PUBLIC_EXPONENT is coming back as empty.
--
Colin Watson [cjwatson@debian.org]
Reply to: