Test failure in test_swtpm_setup_create_cert

[salahcoronya]

test_swtpm_setup_create_cert seems to fail if pkcs11 isn't enabled for gnutls and gnutls support is enabled. See https://bugs.gentoo.org/798759 . It appears the underlying cause is the "socket" parameter is not getting passed to swtpm when the --tpm option is passed to swtpm_setup .

[stefanberger]

Can you please describe the test envionment a bit better using the bug template, especially the versions of relevant components and which version of Gentoo you are using.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:
1.
2.
3.
4.

Expected behavior
A clear and concise description of what you expected to happen.

Desktop (please complete the following information):

• OS: [e.g.Fedora]
• Version [e.g. 33]

Versions of relevant components

• swtpm:
• libtpms:
• openssl:
• gnutls:
• ...:

Additional context
Add any other context about the problem here.

[salahcoronya]

Describe the bug
Test failure in test_swtpm_setup_create_cert

To Reproduce
Steps to reproduce the behavior:
1.have gnutls emerged without pkcs11 support
2.emerge app-crypt/swtpm with gnutls and test support

Expected behavior
The test_swtpm_setup_create_cert passed

Desktop (please complete the following information):

OS: Gentoo
Version [e.g. 33]

Versions of relevant components

swtpm: 0.6.0
libtpms:0.8,3
openssl: 1.1.1k
gnutls:3.7.1
...:

Additional context
See https://bugs.gentoo.org/798759 .. The environment is a a small VM running the current version of Gentoo:

Portage 3.0.20 (python 3.9.5-final-0, default/linux/amd64/17.1, gcc-11.1.0, glibc-2.33, 5.10.38-gentoo-dist x86_64)

System uname: Linux-5.10.38-gentoo-dist-x86_64-Intel_Xeon_E3-12xx_v2_-Ivy_Bridge,_IBRS-with-glibc2.33
KiB Mem: 4024840 total, 1310832 free
KiB Swap: 2097148 total, 2096112 free
Timestamp of repository gentoo: Sat, 26 Jun 2021 23:30:01 +0000
Head commit of repository gentoo: ee0a3af749ed32d85b585a426f4829388f9f84e5
sh bash 5.1_p8
ld GNU ld (Gentoo 2.35.2 p1) 2.35.2
app-shells/bash: 5.1_p8::gentoo
dev-lang/perl: 5.32.1::gentoo
dev-lang/python: 3.9.5_p2::gentoo
dev-lang/rust-bin: 1.52.1::gentoo
dev-util/cmake: 3.18.5::gentoo
sys-apps/baselayout: 2.7::gentoo
sys-apps/openrc: 0.42.1-r1::gentoo
sys-apps/sandbox: 2.24::gentoo
sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake: 1.16.3-r1::gentoo
sys-devel/binutils: 2.35.2::gentoo
sys-devel/gcc: 10.3.0::gentoo, 11.1.0-r1::gentoo
sys-devel/gcc-config: 2.4::gentoo
sys-devel/libtool: 2.4.6-r6::gentoo
sys-devel/make: 4.3::gentoo
sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)
sys-libs/glibc: 2.33::gentoo
Repositories:

gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-verify-max-age: 24
sync-rsync-verify-metamanifest: no
sync-rsync-extra-opts:
sync-rsync-verify-jobs: 1

local
location: /var/db/repos/local
masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@free"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -ggdb -frecord-gcc-switches -fno-diagnostics-color"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -ggdb -frecord-gcc-switches -fno-diagnostics-color"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe -ggdb -frecord-gcc-switches -fno-diagnostics-color"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe -ggdb -frecord-gcc-switches -fno-diagnostics-color"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--defsym=gentoo_check_ldflags=0"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 berkdb bzip2 caps cli crypt dri elogind fortran gdbm iconv ipv6 libglvnd libtirpc multilib ncurses nls nptl openmp pam pcre readline seccomp split-usr ssl tcpd unicode xattr zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS

[stefanberger]

How does one install certtool of GnuTLS on Gentoo?

[salahcoronya]

USE="tools"

[stefanberger]

Can you give me the complete emerge command line?

[salahcoronya]

USE="tools" emerge -av net-libs/gnutls
Note that just sets it for that one merge, to make it persistent edit or create the /etc/portage/package.use file and enter:
net-libs/gnutls tools

[stefanberger]

Is this a new problem or did this already occur with swtpm-0.5.x ?

[stefanberger]

Here's a script to test the behavior of certtool. Basically Gentoo seems to be the only distro I have come across now (tested swtpm on Ubuntu, Fedora, Alpine, OpenSuSE, Debian, CentOS, (see here), RHEL, Cygwin, DragonFly BSD, NetBSD, OpenBSD) where it seems to need the "2nd choice". So yes, it's a problem with certtool and where it takes passwords depending on what it seems like different compile-time options. I never knew but realized that at some point in the past the behavir had changed. The only choice I see is to test the behavior of certtool and skip tests that rely on this particular behavior and possibly add this to the man page that some functionality may not be available in swtpm-localca, which is the tool that relies on certtool.

!/usr/bin/bash

certtool --generate-privkey --outfile rootca.key --password foobar

cat <<_EOF_ > template
cn=swtpm-localca-rootca
ca
cert_signing_key
expiration_days=3600
_EOF_

GNUTLS_PIN=foobar certtool \
        --generate-self-signed \
        --template template \
        --outfile rootca.crt \
        --load-privkey rootca.key
if [ $? -ne 0 ]; then
        certtool \
        --generate-self-signed \
        --template template \
        --outfile rootca.crt \
        --load-privkey rootca.key \
        --password foobar
        if [ $? -eq 0 ]; then
                echo "2nd choice worked"
        fi
fi

[salahcoronya]

Here's teh result:

test-cacert: line 1: /usr/bin/bash: No such file or directory
Assuming PKCS #8 format...
Generating a 3072 bit RSA private key...
Generating a self signed certificate...
error loading file at --load-privkey: rootca.key: Decryption has failed.
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 1039f42414b8b7ae91638fd510672334f9d8d8a8
Validity:
Not Before: Sun Jun 27 04:22:04 UTC 2021
Not After: Tue May 06 04:22:04 UTC 2031
Subject: CN=swtpm-localca-rootca
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (3072 bits)
Modulus (bits 3072):
00:9b:1f:c0:43:b5:ca:8d:b7:db:6d:b8:e4:63:b3:d8
54:14:db:48:27:f3:4b:16:1a:c9:8b:e4:04:c0:78:63
3d:52:35:cf:b9:e4:8a:64:2f:a9:9c:ba:16:00:db:ad
2e:3e:5c:f5:c6:fd:3e:50:45:41:0d:f6:34:51:82:9c
bf:a3:a8:35:4f:18:56:2b:13:6c:5e:c0:1e:14:1c:44
dd:af:f0:32:15:a9:f2:d5:e5:88:15:f9:d0:cd:4e:01
cc:a4:e6:d5:1e:d5:4e:9a:ea:83:32:73:90:7e:5d:7b
76:b7:82:6a:a7:e3:23:ac:3b:31:4e:b3:88:ca:7c:59
19:c4:b4:79:a1:06:92:9a:1b:ab:6b:08:a5:dd:9f:69
07:7b:64:75:76:d8:42:2e:27:06:25:8a:41:c9:29:f3
97:e0:c4:86:30:52:f8:3b:ff:53:4a:21:ba:c0:85:85
82:51:dc:31:10:9e:fc:41:6d:75:cf:93:9f:66:a2:16
d7:b7:85:79:ab:cf:36:22:58:08:b0:8a:63:45:68:ae
cd:f1:a8:72:80:af:19:5c:c7:96:8d:45:b9:75:6c:2c
63:7c:ea:e9:6e:19:43:c9:63:45:87:f1:4b:87:0c:8b
1d:f0:39:dd:57:53:45:44:9b:b8:ef:0d:97:e1:3d:1f
22:3e:3e:be:cb:80:41:7f:be:30:21:bb:0a:d6:ed:e3
db:96:bb:ff:c7:ac:11:b3:c5:19:55:7a:fe:3f:a2:5d
b2:7a:63:be:84:4b:71:3f:e8:3e:b1:6b:74:0d:3b:28
4f:2e:58:c0:ac:b5:8c:bf:18:a3:74:2f:c4:31:6d:ae
64:e7:71:f8:16:01:47:f8:07:80:84:cb:ac:94:e7:0e
b7:b8:4b:1b:a2:bd:17:c6:c3:35:44:e3:ca:24:03:9f
25:c5:31:c0:19:85:74:e0:70:a7:d2:3a:60:25:a0:c6
b3:2c:87:60:e7:08:01:f0:3c:24:7a:bc:0b:24:54:a1
a7
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
9d55467c8b26da5a41197fcfe12a9f84786ad4f6
Other Information:
Public Key ID:
sha1:9d55467c8b26da5a41197fcfe12a9f84786ad4f6
sha256:652ce15c096be92a1eadc640346cb9af30a3b335c016320a5860058ad8fd4bb9
Public Key PIN:
pin-sha256:ZSzhXAlr6SoercZANGy5rzCjszXAFjIKWGAFitj9S7k=

Signing certificate...
2nd choice worked

[stefanberger]

I know... Gentoo's certool behavior is an outlier compared to all the other distros.

The problem is that some of these test cases are trying with 2 passwords, one for the root-ca and another one for the local-ca and there is no way of passing two passwords to certtool when creating the local CA cert and accessing the 2 encrypted/password-protected private keys.

[salahcoronya]

I guess the GNUTLS_PIN environment variable is ignored if PKCS11 is disabled. Well Gentoo already required 1 extra gnutls flag (tools) for this package ANYWAY, and requiring the pkcs11 flag on gnutls only adds 1 extra dependency (app-crypt/p11-kit), its not a big deal for requiring it.

It obviously needs to be enabled testing, but should net-libs/gnutls[pkcs11] be required for everyone else? It doesn't seem to affect libvirt's provisioning of the TPM. If it just optional features require it that few users are going to use, I'll just require net-libs/gnutls[pkcs11] for testing, then anyone who wants to set a password on the root certificate or use a TPM for it can enable it themselves.

[stefanberger]

certtool is needed for creating a local CA (needs to be done only once) unless the user has created one by providing the signing key and certificate. Only very few users will setup one up and therefore most will complain that things don't work. So you need to have certtool installed and ideally with pkcs11 support so that it behaves the same way as it does on all the other distros.

[salahcoronya]

Its fixed now in Gentoo:

commit 5a5b95ee155f9244cbfd0c5916becbe17e52c620
Author: Christopher Byrne <salah.coronya@gmail.com>
Date:   Sun Jun 27 13:22:36 2021 -0500

app-crypt/swtpm: Require pkcs11 support from gnutls/certtool

Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
Closes: https://bugs.gentoo.org/798759
Signed-off-by: Sam James <sam@gentoo.org>

[stefanberger]

So it's all working now in Gentoo? If so, can you close this issue?