Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509_verify gives error "tpm2::cannot duplicate context" on Windows #72

Closed
philippun1 opened this issue May 22, 2023 · 3 comments
Closed

X509_verify gives error "tpm2::cannot duplicate context" on Windows #72

philippun1 opened this issue May 22, 2023 · 3 comments

Comments

@philippun1
Copy link

Hi,

if I try to verify a X509 certificate with the tpm2 provider I get the following error output:

PROVIDER INIT
Loaded tpm2 provider
Loaded default provider
DER DECODER DECODE
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 85
SIGN DIGEST_INIT rsa MD=SHA256
SIGN DIGEST_START
SIGN DIGEST_UPDATE
ERROR:esys:api\Esys_ContextSave.c:251:Esys_ContextSave_Finish() Received a non-TPM Error
ERROR:esys:api\Esys_ContextSave.c:92:Esys_ContextSave() Esys Finish ErrorCode (0x80280400)
ERROR:esys:esys_iutil.c:1218:iesys_check_sequence_async() Esys called in bad sequence.
ERROR:esys:api\Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007)
verify x509 failed: error:40000013:tpm2::cannot duplicate context
RSA FREE
ERROR:esys:esys_iutil.c:1218:iesys_check_sequence_async() Esys called in bad sequence.
ERROR:esys:api\Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007)

There is no difference if I use a certificate created programmatically or via openssl.exe. I use the following command to create my certificate:
openssl req -provider-path . -provider tpm2 -provider default -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

This is the stack when the error happens:
grafik

And this is the exact position in the tpm code, Tss2_Sys_Execute.c line 140 in function Tss2_Sys_ExecuteFinish:
grafik

I have tested the same code in a Ubuntu VM (simulated TPM2) with the tpm2-openssl package and the verify works as expected.
@philippun1
Copy link
Author

Any tips or hints on where to look so I can debug into this more efficiently? Thanks.

If I do not use the tpm2 provider on client side, I get a salt length check failure, see #75

@gotthardp
Copy link
Contributor

gotthardp commented Jun 6, 2023
edited
Loading

Please see #38. It seems that microsoft may be blocking some TPM functions. See here.

@philippun1
Copy link
Author

Ok, thanks for the info.

The tpm2 provider can just be unloaded to perform the verify and loaded again afterwards, which is fine for my use case. So I will close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gotthardp @philippun1