Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad TPM OEM certs #4402

Open
osresearch opened this issue May 27, 2020 · 5 comments
Open

Bad TPM OEM certs #4402

osresearch opened this issue May 27, 2020 · 5 comments
Assignees
@rpsqrd
Labels
Pri2 security-guarded-fabric/tech windows-server/prod

Comments

@osresearch
Copy link

osresearch commented May 27, 2020

Thanks for proving a CAB file with all of the TPM root CAs and OEM intermediate certs. Unfortunately the intermediate files for ST Micro seem to be corrupted? OpenSSL won't process them:

% openssl x509 -inform DER -in "STM TPM EK Intermediate CA 05.crt"
unable to load certificate
140010300105152:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
140010300105152:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509

asn1parse reports that the serial number is a BAD INTEGER:

% openssl asn1parse -inform DER -in "STM TPM EK Intermediate CA 05.crt"
    0:d=0  hl=4 l= 972 cons: SEQUENCE          
    4:d=1  hl=4 l= 692 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   4 prim: INTEGER           :BAD INTEGER:[00000006]
   19:d=2  hl=2 l=  13 cons: SEQUENCE          
   21:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   32:d=3  hl=2 l=   0 prim: NULL              
   34:d=2  hl=2 l=  74 cons: SEQUENCE          
   36:d=3  hl=2 l=  11 cons: SET               
   38:d=4  hl=2 l=   9 cons: SEQUENCE          
   40:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   45:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CH
   49:d=3  hl=2 l=  30 cons: SET               
   51:d=4  hl=2 l=  28 cons: SEQUENCE          
   53:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   58:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :STMicroelectronics NV
...

Downloading the original version of that cert from GlobalSign (which is linked from STM's TPM EK datasheet) parses fine:

% openssl x509 -inform DER -in stmtpmekint05.crt  -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1073741830 (0x40000006)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Root CA
        Validity
            Not Before: Oct 10 00:00:00 2015 GMT
            Not After : Dec 31 00:00:00 2035 GMT
        Subject: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Intermediate CA 05
...
% openssl asn1parse -inform DER -in stmtpmekint05.crt 
    0:d=0  hl=4 l= 972 cons: SEQUENCE          
    4:d=1  hl=4 l= 692 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   4 prim: INTEGER           :40000006
   19:d=2  hl=2 l=  13 cons: SEQUENCE          
   21:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   32:d=3  hl=2 l=   0 prim: NULL              
   34:d=2  hl=2 l=  74 cons: SEQUENCE          
   36:d=3  hl=2 l=  11 cons: SET               
   38:d=4  hl=2 l=   9 cons: SEQUENCE          
   40:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   45:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CH
   49:d=3  hl=2 l=  30 cons: SET               
   51:d=4  hl=2 l=  28 cons: SEQUENCE          
   53:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   58:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :STMicroelectronics NV
...

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@ghost
Copy link

ghost commented Jun 3, 2020

Disclaimer: I am not affiliated with Microsoft or the Microsoft Docs teams.

Thank you for this practical and (hopefully) useful feedback.
Please be patient, it may be a while before the team or the author will have time to post their replies.
Stay safe and well.

@asbaliga
Copy link
Contributor

asbaliga commented Jun 9, 2020

We're currently looking into this issue, please give us a couple of weeks to resolve this. Appreciate your patience!

@ghost
Copy link

ghost commented Jun 9, 2020

Thank you for the update. Happy to see that there is still hope for this to be resolved.

@osresearch
Copy link
Author

osresearch commented Sep 15, 2020

According to this tweet by @ronaig:

Non-conformant intermediate certs have been reissued with updated serial # and can be downloaded from STM website. Old certs are in TrustedTPM cab to support TPMs that reference older intermediate certs.

Will the TrustedTPM.cab be updated to contain the new certs?

@osresearch osresearch mentioned this issue Sep 16, 2020
Open
@vipandra
Copy link

vipandra commented Sep 16, 2020

Yes we will update the TrustedTPM.cab but cant state the exact date/time..

@steved0x steved0x reopened this Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rpsqrd rpsqrd

Labels
Pri2 security-guarded-fabric/tech windows-server/prod
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@steved0x @osresearch @rpsqrd @PRMerger9 @asbaliga @vipandra