Control: tags -1 upstream Control: close -1 On Mon, 10 Jun 2024 11:04:50 +0100 Anton Ivanov <anton.iva...@cambridgegreys.com> wrote: > Package: tpm2-openssl > Version: 1.1.1-1 > Severity: important > > In order to use tpm to store TLS keys, the key type must be usable for TLS. If, > the ecc algo family cannot be used, this has to be RSA-PSS. RSA-PSS keys can be > created with tpm2-tools and appear to function correctly outside openssl. Trying > to generate an openssl cert request with invalid padding. > > How to reproduce: > > tpm2_createek -G rsa -c ek_pss.ctx > tpm2_createak -C ek_pss.ctx -G rsa -g sha256 -s pss -c ak_ecc.ctx > tpm2_evictcontrol -c ak_ecc.ctx 0x81000001 > OPENSSL_CONF=./openssl.cnf openssl req -provider tpm2 -provider default \ > -propquery '?provider=tpm2' -key handle:0x81000001 -out testcsr.pem -new > > The resulting csr has invalid padding (200+ bytes instead of 32) and is rejected > if passed to a CA
There are no patches in Debian, please test this again in unstable/testing, and if it is still a problem report this upstream: https://github.com/tpm2-software/tpm2-openssl/issues -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
