diff --git a/test/integration/scripts/create_pkcs_store.sh b/test/integration/scripts/create_pkcs_store.sh index 4b699e8e..a5e6beed 100755 --- a/test/integration/scripts/create_pkcs_store.sh +++ b/test/integration/scripts/create_pkcs_store.sh @@ -143,6 +143,8 @@ echo "Adding 1 x509 Certificate under token \"label\"" # Build an OpenSSL config file # modpath=$(echo /workspace/tpm2-pkcs11/*/src/.libs/libtpm2_pkcs11.so) +modpath=$(echo $modpath | sed s/'\*\/'/''/) + osslconf="$TPM2_PKCS11_STORE/ossl.cnf" cat << EOF > "$osslconf" openssl_conf = openssl_init diff --git a/tools/tpm2_pkcs11/commandlets_keys.py b/tools/tpm2_pkcs11/commandlets_keys.py index 2d1acf52..34c074d8 100644 --- a/tools/tpm2_pkcs11/commandlets_keys.py +++ b/tools/tpm2_pkcs11/commandlets_keys.py @@ -22,6 +22,7 @@ from .utils import get_ec_params from .utils import asn1_format_ec_point_uncompressed from .utils import list_dict_from_kvp +from .utils import str2bytes from .tpm2 import Tpm2 @@ -523,7 +524,7 @@ def __call__(self, args): # rather than use pycryptography x509 parser, which gives native type access to certficiate # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them - with open(certpath, "rb") as f: + with open(certpath, "r") as f: substrate = pem.readPemFromFile(f) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] @@ -536,12 +537,18 @@ def __call__(self, args): d = derenc.encode bercert = b(cert) + hexbercert = h(bercert).decode() # the CKA_CHECKSUM value is the first 3 bytes of a sha1hash m = hashlib.sha1() m.update(bercert) bercertchecksum = m.digest()[0:3] - bercertchecksum = h(bercertchecksum) + hexbercertchecksum = h(bercertchecksum).decode() + + subj = c['subject'] + hexsubj=h(d(str2bytes(subj))).decode() + + hexkeylabel = h(str2bytes(keylabel)).decode() attrs = [ { CKA_CLASS : CKO_CERTIFICATE }, @@ -550,7 +557,7 @@ def __call__(self, args): { CKA_CERTIFICATE_CATEGORY: CK_CERTIFICATE_CATEGORY_UNSPECIFIED }, # The value of this attribute is derived by taking the first 3 bytes of the CKA_VALUE # field. - { CKA_CHECK_VALUE: bercertchecksum }, + { CKA_CHECK_VALUE: hexbercertchecksum }, # Start date for the certificate (default empty) { CKA_START_DATE : "" }, # End date for the certificate (default empty) @@ -559,15 +566,15 @@ def __call__(self, args): # contained in this certificate (default empty) { CKA_PUBLIC_KEY_INFO : "" }, # DER encoded subject - { CKA_SUBJECT : h(d(c['subject'])) }, + { CKA_SUBJECT : hexsubj }, # "label of keypair associated, default empty - { CKA_LABEL : h(keylabel) }, + { CKA_LABEL : hexkeylabel }, # der encoding of issuer, default empty { CKA_ISSUER : '' }, # der encoding of the cert serial, default empty { CKA_SERIAL_NUMBER : '' }, # BER encoding of the certificate - { CKA_VALUE : h(bercert) }, + { CKA_VALUE : hexbercert }, # RFC2279 string to URL where cert can be found, default empty { CKA_URL : '' }, # hash of pub key subj, default empty @@ -616,7 +623,7 @@ def get_id_by_label(tobj, keylabel): for a in attrs: if str(CKA_LABEL) in a: - x = binascii.unhexlify(a[str(CKA_LABEL)]) + x = binascii.unhexlify(a[str(CKA_LABEL)]).decode() if x == keylabel: return a[str(CKA_LABEL)] diff --git a/tools/tpm2_pkcs11/utils.py b/tools/tpm2_pkcs11/utils.py index 20a6ce7f..3082417a 100644 --- a/tools/tpm2_pkcs11/utils.py +++ b/tools/tpm2_pkcs11/utils.py @@ -12,6 +12,10 @@ if sys.version_info.major < 3: input = raw_input +def str2bytes(s): + if isinstance(s, str): + return s.encode() + return s # The delimiter changes based on nesting level to make parsing easier. We assume one key-value entry per line # where a key can have N KVPs as a CSV.