-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Unable to use "tmpkms" on Windows #2014
Comments
@JMyklebust could you try initializing the KMS specifying the C:\Users\herman\.step\tpm>step kms key "tpmkms:name=acme-ca-ver1"
Error: open tpmkms:name=acme-ca-ver1: failed getting key "acme-ca-ver1": not found
exit status 1
C:\Users\herman\.step\tpm>step kms key "tpmkms:name=acme-ca-ver1;storage-directory=C:\Users\herman\.step\tpm"
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWI50jaNFmGn5oYwDMss
C0aoAnFe7ne7VVBjXZoNFmweeBotnN5BjTODbpySn6yZIEEtlZYEDiAPOKVsg4z5
eIidvcCCN3B/JH2n+Vg9Alpcj35N/25Sbq7s+1sqhEAu5CUpqiFjH7ZVaB4EBLkp
dFAR8LdWDjqqeGrcn0FS0hNGex0f/hjC73EjmnYqS0VyQhQlazNznU0zGkRasKiE
4iuUlY01hpuq6on6kwR8uz2iCrzA5xmFZXFDzbA7oRpyzpaiI5agZUPnM8ljTwI+
+/T8UWn2CFR+LScl5otpa1EUtQ44UMD3bv+ttleeHOZSOkemDZf1S8Q0XZi9o1w1
8QIDAQAB
-----END PUBLIC KEY----- In the
If that doesn't work, try specifying the full URI in the Not saying it's not (partially) broken, but it may need a little bit of additional configuration and testing on Windows. That said, if you don't need attestation of the intermediate CA key, you could try our |
Is there a specific reason you need to build with CGo? |
Adding "storage-directory" did work, thanks! "kms": {
"type": "tpmkms",
"uri": "tpmkms:storage-directory=C:/ACMECA/conf/tpm"
} As for why I'm using CGO is because i'm following the documentation here which states you need the CGO version to use the tpm. As for using |
Tested with the regular Windows build of step-ca and tpmkms works fine. Trying something like this does not work.
Edit: For now though |
My bad. It looks like we don't include that in the list of KMS's supported in the CA today: https://github.com/smallstep/certificates/blob/master/cmd/step-ca/main.go#L29-L37. As for the TPMKMS docs: I think that may be a stray copy/paste from the YubiKey and PKCS11 KMS's. Thanks for the pointer 🙂 |
I found another issue though probably slightly outside the scope of the orignal bug report. I'm using shawl as service wrapper and using file based keys works fine as a virtual service account (so i have a working baseline config). Looking at Though it's possible that |
At the moment those additional options only work when
Yes, I think |
I built a custom version of step-ca with adding First I've created a CA cert on the side using other tools (XCA in this case for simplicity during testing). Then I've gone over to trying to create with $CAName = "Test CA"
$KeyName = "acme-ca-ver1"
$TemplatesDir = "C:\ACMECA\conf\templates"
$CertsDir = "C:\ACMECA\conf\certs"
$outputJSON = & C:\ACMECA\bin\step.exe kms create --json --kty RSA --size 2048 "capi:provider=Microsoft Platform Crypto Provider;key=$KeyName"
$ConvertedJSON = $outputJSON | ConvertFrom-Json
# Show output
$ConvertedJSON| fl
# try to use key name
& C:\ACMECA\bin\step.exe certificate create --kms 'capi:' --key "capi:provider=Microsoft Platform Crypto Provider;key=$KeyName" --csr --template "$TemplatesDir\BKCATemplate.tpl" $CAName "$CertsDir\intermediate.csr"
# Try to use key path
& C:\ACMECA\bin\step.exe certificate create --kms 'capi:' --key "$($ConvertedJSON.name)" --csr --template "$TemplatesDir\BKCATemplate.tpl" $CAName "$CertsDir\intermediate.csr" This is the output:
Though at this point it might be better to open an issue over in https://github.com/smallstep/crypto? |
Steps to Reproduce
Using the CGO build on Windows is not working with "tpmkms".
I've build step-ca v0.27.4 with CGO flag on Windows with the help of w64devkit.
I want to secure the certificate key using the TPM so i'm using "tpmkms" (though I would have prefered to use CryptoAPI on Windows tbh).
Some simplification of my actual script for this but I've successfully created the key using the kms module for step-cli
The step.json looks like this (I've cut out the providers to keep it short):
Your Environment
step-ca
Version - v0.27.4 (build with CGO flag)Expected Behavior
Expected step-ca to start sucessfully.
Actual Behavior
step-ca fails to start saying it's unable to find the key.
Additional Context
Interesting side-note, the PowerShell session also crashes shortly after this.
Not sure it's entirely related, but it is consistent.
After step-ca exists, i can press enter twice and the shell crashes.
I'm able to verify the key is working in the kms plugin by running this (which prints the public key).
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: