Re: [pkix] More fun and games with the Trusted Platform Module

Russ Housley <housley@vigilsec.com> Wed, 14 February 2018 17:08 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23CCE12D777 for <pkix@ietfa.amsl.com>; Wed, 14 Feb 2018 09:08:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLZF5iQCPzaR for <pkix@ietfa.amsl.com>; Wed, 14 Feb 2018 09:08:53 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5427912D77A for <pkix@ietf.org>; Wed, 14 Feb 2018 09:08:52 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 453B0300639 for <pkix@ietf.org>; Wed, 14 Feb 2018 12:08:50 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id svEh9nKqOoed for <pkix@ietf.org>; Wed, 14 Feb 2018 12:08:49 -0500 (EST)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 2F50E300293; Wed, 14 Feb 2018 12:08:49 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <3a8caf8a-0273-afd2-dc28-09053c36842e@nthpermutation.com>
Date: Wed, 14 Feb 2018 12:08:53 -0500
Cc: IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3AB87D0-6957-4C7B-A01F-70265BEDA276@vigilsec.com>
References: <3a8caf8a-0273-afd2-dc28-09053c36842e@nthpermutation.com>
To: Mike StJohns <msj@nthpermutation.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/2HIO4BV6KfgtVDwB_6yuQnF8Fts>
Subject: Re: [pkix] More fun and games with the Trusted Platform Module
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 17:08:55 -0000

So, the INTEGER is not being properly DER encoded before it is stored.  I assume the signature covers the leading zero octet.

Russ


> On Feb 13, 2018, at 8:56 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> 
> Hi -
> 
> I thought I'd pass on a discovered stupidity.   As part of some playing with TPMs I found out that the endorsement certificate for my personal laptop has an invalid encoding.  For some unknown reason, my certificate was mis-encoded with a leading zero byte in the serialNumber field.  My best guess is that the manufacturer is mistakenly treating the serialNumber as an OCTET STRING and just plopping down the serial number of the TPM in the body of the INTEGER.
> 
> Unfortunately, the certificate parsers I'm using barf on this.....  I'm having to basically write my own code to handle these...
> 
> serial:
> 
> 02 14
> 00 04 8f e6  1d 28 82 d3  cd 48 8a b1  30 b9 4f bc
> 8928 4b 32
> 
> According to the TPM console, this is an intel TPM, V2.0, spec 11.8.50.3425.
> 
> I went looking and I have no contacts with Intel in this space - I'd at least like to make them aware they are screwing up in at least one case.  Does anyone have a pointer?
> 
> Thanks - Mike
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix