Enable using objects with no user PIN #695
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using password-less SSH keys is a nice feature, which can be achieved in PKCS#11 by not setting `CKF_LOGIN_REQUIRED` in token information. The information whether a PIN is empty or not is stored in a new attribute of the token configuration, named `empty-user-pin`. This attribute is set when `tpm2_ptool addtoken` is used with `--userpin=""` and it is updated when users change their PIN using `tpm2_ptool changepin` or `tpm2_ptool initpin`. In `src/pkcs11.c`, update `auth_min_ro_user` in order to accept using functions such as `C_SignInit` without the user being logged in, when the user PIN is empty. Regarding operations related to the TPM, using no user PIN is implemented as using an empty PIN. So table `sealobjects` is still used to unseal the wrapping key. The main difference between "no PIN" and "a usual PIN" is that an empty string is combined with `userauthsalt` instead of a user PIN. With this change, using OpenSSH client does not prompt for a PIN code, when using a key stored in a token with an empty PIN. Fixes: tpm2-software#629 Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
Codecov Report
@@ Coverage Diff @@
## master #695 +/- ##
==========================================
- Coverage 73.34% 73.16% -0.19%
==========================================
Files 33 33
Lines 8989 9039 +50
==========================================
+ Hits 6593 6613 +20
- Misses 2396 2426 +30
Continue to review full report at Codecov.
|
williamcroberts
approved these changes
Aug 12, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using password-less SSH keys is a nice feature, which can be achieved in PKCS#11 by not setting
CKF_LOGIN_REQUIREDin token information.The information whether a PIN is empty or not is stored in a new attribute of the token configuration, named
empty-user-pin. This attribute is set whentpm2_ptool addtokenis used with--userpin=""and it is updated when users change their PIN usingtpm2_ptool changepinortpm2_ptool initpin.In
src/pkcs11.c, updateauth_min_ro_userin order to accept using functions such asC_SignInitwithout the user being logged in, when the user PIN is empty.Regarding operations related to the TPM, using no user PIN is implemented as using an empty PIN. So table
sealobjectsis still used to unseal the wrapping key. The main difference between "no PIN" and "a usual PIN" is that an empty string is combined withuserauthsaltinstead of a user PIN.With this change, using OpenSSH client does not prompt for a PIN code,
when using a key stored in a token with an empty PIN.
Fixes: #629